Penetration testing methodologies – an overview
Penetration testing is a form of cyber security assessment that evaluates the security of your company’s systems, applications, or networks. It does this by replicating the attack methods used by real-world cyber attackers. This blog will give an overview of the different penetration testing methodologies.
Penetration testing is conducted by a suitably skilled tester, who uses mainly manual techniques, combined at points with automated vulnerability scanners and other testing tools. Testing relies heavily on the expertise of the tester to find and exploit potential cyber security weaknesses within the organisation being tested, to advise on the risk to the organisation and the steps required to mitigate the weaknesses. If you’re interested in becoming a penetration tester, read our blog on “how to start a career in penetration testing“.
Why do I need a penetration test?
Penetrating testing is an invaluable tool for improving enterprise security. It helps your company to find unpatched vulnerabilities in systems, applications and networks, while also providing independent assurance that your security defences are robust.
If your company wishes to work with a new supplier, you’ll often find that they mandate a penetration test before you can start your working relationship. This is due to the rising prominence of supply chain attacks, which have underscored the need for consistent, up-to-date vulnerability management across supplier and customer ecosystems.
As well as this, common security standards like PCI DSS, policies within an ISO 27001 ISMS and regulations such as the UK GDPR also reinforce the need for penetration testing for security assurance and resilience.
For a full overview of what penetration testing is, read our Guide to Penetration Testing.
Decoding the jargon
While penetration testing is clearly important for enterprise security, it is far from a straightforward process. Testing is a very technical discipline, meaning that, when shopping for a penetration testing provider, you may feel daunted by the number of acronyms and quantity of jargon you hear– most of which will relate to penetration testing methodologies.
The good news is that you do not need to have a deep understanding of these methodologies. They are technical guides aimed at the testers who conduct penetration testing. However, it’s still important to have a top-level understanding of the different approaches: which ones are credible and why it’s important your penetration testing team uses one.
Watch out for red flags
First and foremost, as you look to procure a penetration testing provider, you should check if and what methodologies they use for penetration testing. Usually, their methodology will be one of the below but, in some cases, organisations do create their own testing methodologies, adapted from a standardised one.
While this can be sufficient, it would be well worth asking the provider to provide a list of what their methodology covers in the scoping document for testing activities. As penetration testing accreditation body CREST notes, you should look for a methodology that is:
- Built on proven approaches
- Aligns with accredited resources
- Provides specific testing parameters
- Utilises common industry language
- Explains the approach for each stage of testing
If a provider does not align their testing to a methodology, this is a red flag. It indicates a lack of consistency and strategy for penetration testing, which could lead to gaps in the activity and sloppy results that don’t find all the vulnerabilities in your systems.
The different pen test methodologies
There are several industry-standard methodologies out there. Opinion varies on what the best methodology is but, generally speaking, the Open Source Security Testing Methodology Manual (“OSSTM”) and the Open Web Application Security Project (“OWASP”) are the most highly regarded.
A good supplier will have a solid understanding of all the methodologies below. In fact, they will usually go above and beyond these methodologies to ensure their testing is as comprehensive as can be. This is because standard methodologies offer wide-ranging guidance for testing, so aren’t tailored to the nuances of individual client scenarios.
Below is an overview of the main penetration testing methodologies today. These methodologies are a mixture of open-source initiatives and guides produced by industry bodies.
- OSSTMM is a peer-reviewed methodology for performing infrastructure penetration tests. The methodology gives details on what needs to be tested and gives guidelines on what to do pre-testing, during testing, and post-testing. It also offers advice on how to measure the results of a test and provides ‘Rules of Engagement’. These scope out expectations from both the tester and the client, including everything from advertising tests to the kind of reports clients should expect to receive. Because OSSTMM is peer-reviewed, it is updated regularly with the latest best practices.
- OWASP is an open-source methodology that is regularly updated by testers in the industry, focused on web and mobile application testing. It provides recommendations for penetration testing tools, as well as guidelines and documents to guide testing engagements. OWASP takes a people, process and technology (“PPT”) approach to testing – taking into account the human element often involved in cyber security breaches.
- The National Institute of Standards and Technology (“NIST”) discusses penetration testing in SP800-115. NIST’s methodology is not as thorough as OSSTM. However, it does provide solid regulatory guidelines for carrying out testing.
- The Information Systems Security Assessment Framework (“ISSAF”) is another peer-reviewed framework. It was created by the Open Information Systems Security Group. It provides many recommendations for efficient cybersecurity, spreading beyond just penetration testing. While its guidance for penetration testing is detailed, ISSAF is a newer standard and, as CREST describes, is “still in its infancy.”
- The Penetration Testing Execution Standard (“PTES”) is another developing standard, stemming from a group of volunteers within the industry. PTES aims to explain penetration testing in a way that is understandable to businesses, as well as security providers.
As well as these methodologies, a resource we recommend you review is the National Cyber Security Centre’s CHECK resources on penetration testing. These resources are aimed at business leaders and offer advice and guidance around what penetration testing is and how to choose the right provider for you.
Need help?
If your organisation needs help running a penetration test on an application or infrastructure, we’re here to help. As a CREST accredited penetration tester, we can assess your environment and run a full penetration test and provide additional security assessment and assurance services. Contact us for a friendly chat.
