Introduce
There are a number of standards when performing penetration tests. These standards are used to make penetration tests easier, more practical and more useful. The general name of these standards is Pentest Methodologies.
What is Penetration Testing (Pentest) Methodology?
The penetration test (pentest) methodology is a standard and globally accepted rules established by various communities to give a better result.
The most important standards in penetration testing methodologies are:
OWASP (Open Web Application Security Project)
OSSTMM (The Open Source Security Testing
Methodology Manual)
ISSAF (Information Systems Security Assessment b
NIST SP800-115
PTES (Penetration Testing Execution Standard)
Fedramp
OWASP (Open Web Application Security Project)
This standard was created to inspect web applications that require penetration testing. Test stages are a penetration testing methodology for checklists.
This standard also has a wide range of practical uses. OWASP is a very good methodology for securing web applications.
OWASP 11 consists of a checklist for the security of the secure application under the main heading. These,
1-Information gathering
2-Configuration and Distribution Management Test
3-Identity Management Test
4-Authentication Test
5-Authorization Test
6-Session Management Test
7-Entry Verification Test
8-Fault Clearance Test
9-Weak Cryptography Test
10-Business Logic Test
11-Client Side Test
OSSTMM (The Open Source Security Testing Methodology Manual)
OSSTM was created for open source security testing. Thanks to this methodology, it provides fast and important information in open source security tests. Thanks to this information, open source security tests can be performed faster and give the advantage of being repeated.
OSSTM, key sections are also available. These key parts are:
1-Operational Security Metrics
2-Trust Analysis
3-Work flow
4-Human Safety Test
5-Physical Security Test
6-Wireless Security Test
7- Security Test
8-Data Networks Security Test
9-Compliance Legislation
10-Reporting with STAR (Safety Test Audit Report)
ISSAF (Information Systems Security Assessment Framework)
This methodology is a great help in security checklists and information security. This methodology community, which is not very active, still works for pentests. For pentests, this methodology has an important place in being a good penetration methodology.
Another feature of ISSAF is that it does not have a key section.
NIST SP800-115
NIST SP800-115 assists pentests in Information Security Test and Evaluation Technique. This methodology is a guideline and remains an important reference guide for pentests today. This methodology allows institutions and organizations to technically test and analyze information security. NIST SP800-115 also helps to find and develop new strategies for penetration testing. Within this guide, it provides information on examining penetration testing and penetration tests, as well as suggestions for making penetration testing practical. Thanks to this information it contains, it is of great help in a system penetration test and network penetration tests.
NIST SP800-115 consists of 5 main topics. These,
1-Target Identification and Analysis Techniques
2-Target Vulnerability Verification Techniques
3-Safety Assessment Planning
4-Security Assessment Activities
5-Post-Test Activities
Penetration Testing Execution Standard (PTES)
PTES is a penetration testing methodology created for penetration testing from open source. This methodology is used quite frequently by pentesters for penetration testing from open source.
PTES consists of 7 main sections.
These,
1-Pre-contract
2-Intelligence gathering
3-Threat Modeling
4-Vulnerability Analysis
5-The Abuse Process
6-Advanced Exploitation Phase
7-Reporting
FedRamp's purpose is to assist pentests in the security assessment and authorization of cloud-based services. In short, FedRamp appears in cloud-based services penetration tests. FedRamp's main origin is a methodology to standardize how it applies to information services.
Fedramp is a great pentesting guide for Reporting, planning and executing penetration testing.
Fedramp consists of 9 main parts.
These,
1-Information Gathering and Discovery Phase
2-Web Application and Api Test Information Collection and Discovery Phase
3-Mobile Application Information Collection and Discovery Phase
4-Network Information Gathering and Discovery Phase
5-Social Engineering Information Gathering and Discovery Phase
6-Internal Network Information Gathering and Discovery Phase
7-The Exploitation Stage
8-Advanced Exploitation Phase
9-Reporting
Result
As a result, methodologies for pentests are an indispensable guide. They both make their job easier and make the penetration test practical. Therefore, methodologies are indispensable in penetration tests.
source: https://www.turkhackteam.org/siber-guvenlik/1926931-pentest-metodolojileri.html
çeviri/translator: Captainyarimca
There are a number of standards when performing penetration tests. These standards are used to make penetration tests easier, more practical and more useful. The general name of these standards is Pentest Methodologies.
What is Penetration Testing (Pentest) Methodology?
The penetration test (pentest) methodology is a standard and globally accepted rules established by various communities to give a better result.
The most important standards in penetration testing methodologies are:
OWASP (Open Web Application Security Project)
OSSTMM (The Open Source Security Testing
Methodology Manual)
ISSAF (Information Systems Security Assessment b
NIST SP800-115
PTES (Penetration Testing Execution Standard)
Fedramp
OWASP (Open Web Application Security Project)
This standard was created to inspect web applications that require penetration testing. Test stages are a penetration testing methodology for checklists.
This standard also has a wide range of practical uses. OWASP is a very good methodology for securing web applications.
OWASP 11 consists of a checklist for the security of the secure application under the main heading. These,
1-Information gathering
2-Configuration and Distribution Management Test
3-Identity Management Test
4-Authentication Test
5-Authorization Test
6-Session Management Test
7-Entry Verification Test
8-Fault Clearance Test
9-Weak Cryptography Test
10-Business Logic Test
11-Client Side Test
OSSTMM (The Open Source Security Testing Methodology Manual)
OSSTM was created for open source security testing. Thanks to this methodology, it provides fast and important information in open source security tests. Thanks to this information, open source security tests can be performed faster and give the advantage of being repeated.
OSSTM, key sections are also available. These key parts are:
1-Operational Security Metrics
2-Trust Analysis
3-Work flow
4-Human Safety Test
5-Physical Security Test
6-Wireless Security Test
7- Security Test
8-Data Networks Security Test
9-Compliance Legislation
10-Reporting with STAR (Safety Test Audit Report)
ISSAF (Information Systems Security Assessment Framework)
This methodology is a great help in security checklists and information security. This methodology community, which is not very active, still works for pentests. For pentests, this methodology has an important place in being a good penetration methodology.
Another feature of ISSAF is that it does not have a key section.
NIST SP800-115
NIST SP800-115 assists pentests in Information Security Test and Evaluation Technique. This methodology is a guideline and remains an important reference guide for pentests today. This methodology allows institutions and organizations to technically test and analyze information security. NIST SP800-115 also helps to find and develop new strategies for penetration testing. Within this guide, it provides information on examining penetration testing and penetration tests, as well as suggestions for making penetration testing practical. Thanks to this information it contains, it is of great help in a system penetration test and network penetration tests.
NIST SP800-115 consists of 5 main topics. These,
1-Target Identification and Analysis Techniques
2-Target Vulnerability Verification Techniques
3-Safety Assessment Planning
4-Security Assessment Activities
5-Post-Test Activities
Penetration Testing Execution Standard (PTES)
PTES is a penetration testing methodology created for penetration testing from open source. This methodology is used quite frequently by pentesters for penetration testing from open source.
PTES consists of 7 main sections.
These,
1-Pre-contract
2-Intelligence gathering
3-Threat Modeling
4-Vulnerability Analysis
5-The Abuse Process
6-Advanced Exploitation Phase
7-Reporting
FedRamp's purpose is to assist pentests in the security assessment and authorization of cloud-based services. In short, FedRamp appears in cloud-based services penetration tests. FedRamp's main origin is a methodology to standardize how it applies to information services.
Fedramp is a great pentesting guide for Reporting, planning and executing penetration testing.
Fedramp consists of 9 main parts.
These,
1-Information Gathering and Discovery Phase
2-Web Application and Api Test Information Collection and Discovery Phase
3-Mobile Application Information Collection and Discovery Phase
4-Network Information Gathering and Discovery Phase
5-Social Engineering Information Gathering and Discovery Phase
6-Internal Network Information Gathering and Discovery Phase
7-The Exploitation Stage
8-Advanced Exploitation Phase
9-Reporting
Result
As a result, methodologies for pentests are an indispensable guide. They both make their job easier and make the penetration test practical. Therefore, methodologies are indispensable in penetration tests.
source: https://www.turkhackteam.org/siber-guvenlik/1926931-pentest-metodolojileri.html
çeviri/translator: Captainyarimca
Moderatör tarafında düzenlendi:
