Penetration testing is one of those branches of security testing that has evolved over the years and taken a methodical and logical form through adoption of tricks and techniques used by hackers.
Different groups and forums have come up with different frameworks for penetration testing giving their own angle thus benefiting white hat hackers and security auditors alike.
Different frameworks – to the likes of OSSTMM, NIST SP 800-115, OWASP – take different approach towards tackling the penetration testing behemoth and even though they all want the same outcome, the languages they speak are different that ends up creating a lot of loose ends.
Beyond this, there is no framework other than OSSTMM that looks at penetration testing in its entirety thus, leaving the security community and customers a lot more confused than enlightened.
Penetration Testing Execution Standard (PTES) has been formulated to lay a common ground, language and methodology through which customers and consultants may communicate, plan and execute penetration testing of required assets. PTES focuses on quality centred measurable and repeatable services that would enable penetration testers to deliver value to their clients.
One may argue that OSSTMM is one of the most used and relied upon open standard but it actually doesn’t address the ‘How?’ and the ‘What?’ of penetration testing and misses out on setting example goals of each type of test.
NIST SP 800-115 [PDF] is a lot more limited than the OSSTMM and touches upon the ‘What’, ‘Where’, ‘Why’ & ‘How’ of the execution very vaguely.
The PTES tends to focus on the execution of penetration testing through seven main sections that can be understood by both businesses which are looking for such tests in their environment and consultants who wish to deliver such services. Prospect customers will be able set common evaluation criteria on weigh the expertise of different consultants.
The standard doesn’t just concentrate on the Top 10 or Top 20 unlike other frameworks or methodologies thus setting a stage for more elaborate, comprehensive and targeted to business specific needs.
Arranged in a systematic manner while adopting all the known and established penetration testing methods, the PTES lays quite a lot of emphasis on reporting as that is what matters the most. Exploiting vulnerability and rooting the server is definitely not what PTES is in its core.
With provision for reporting for various levels of personnel at customers’ end i.e. Executive summary to the tinniest detail for the technical team, the standard delves into threat modelling, risk ratings, origin of risks, strategic remedial actions whether corrective or preventive and so on.
Security professionals across the globe would definitely like to adopt a standardized method in anything they wish to do and with the standard trying to fill a gaping hole for penetration testers, it wouldn’t be entirely correct to say that yes PTES is the answer to all questions.
Creativity is what drives the security analysis and penetration testing field, and being told what to do might not always go down well with evangelists!
