Penetration testing methodologies and frameworks

In this section, we are going to take a look at various penetration testing methodologies and frameworks. To begin, we must understand what is meant by a methodology. A methodology is a set of methods applied to a field of study or an activity using a systematic approach. Another important terminology in the field of penetration testing is the term framework. A penetration testing framework is a comprehensive guide that details the usage and security-auditing tools for each category of penetration testing.

Completing your first training in penetration testing can be very exciting, and you were probably very eager to hack something. Imagine you’re on the client’s network, and you begin to stimulate your attacks all at once, focusing on a particular set of vulnerabilities or systems. A lot of misfires can occur – exploits can hit targets that are not specified within the scope of the penetration test agreements – and this can be bad for business and create a bad reputation. Secondly, without using a systematic approach, the desired result probably won’t be attained at the end of your testing.

Hence, during the pre-attack phase of a penetration test, it is good to either choose a methodology or framework best suited for the potential target’s infrastructure. The framework will ensure a specific set of guidelines are followed by the penetration tester in obtaining a desired output and interpretation of the results.

The following are some of the more popular penetrating testing methodologies and frameworks:

• OWASP testing guide
• PCI penetration testing guide
• Penetration testing execution standard
• Open Source Security Testing Methodology Manual (OSSTMM)