There are several methodologies for penetration testing like OSSTMM, NIST and other frameworks. What are the differences among them? Who is the intended audience and where is the intended place/sector for these methodologies? I read their documentations, but could not decide.
Asked
Active
Viewed 3,253 times
1 Answers
13
The PTES -- http://www.pentest-standard.org -- has one aspect the other frameworks do not, actionability from tools -- http://www.nothink.org/metasploit/documentation/metasploit_msf_analysis_ptes.pdf
An updated version of the tools to perform a PTES-based pen test, including the MSF analysis is available here -- https://github.com/trustedsec/ptf
OSSTMM does have a tool component, but only available from the expensive training. SANS has developed similar criteria to establish testing frameworks through expensive training, but they do have a great GPWN mailing list that is open to the public.
IMO, NIST Special Pubs do not cover pen testing per se, because even SP 800-115 doesn't take into account the complexities necessary to define or organize the best-practice thought around pen testing as performed by Veris Group, Silent Break Security, Mandiant, or similar outfits. The PCI-DSS guidelines go a lot further than what NIST provides, but it is still a bit lackluster -- https://www.pcisecuritystandards.org/documents/Penetration_Testing_Guidance_March_2015.pdf
To answer your question directly, I would say that the pen testing standards you referenced are outdated, while PTES is the commonly-held 2016 worldwide standard. There are also standards for the UK, namely CHECK, CREST and CBEST.
atdre
- 18,885
- 6
- 58
- 107