13

There are several methodologies for penetration testing like OSSTMM, NIST and other frameworks. What are the differences among them? Who is the intended audience and where is the intended place/sector for these methodologies? I read their documentations, but could not decide.

schroeder
  • 123,438
  • 55
  • 284
  • 319
etooo
  • 131
  • 1
  • 4

1 Answers1

13

The PTES -- http://www.pentest-standard.org -- has one aspect the other frameworks do not, actionability from tools -- http://www.nothink.org/metasploit/documentation/metasploit_msf_analysis_ptes.pdf

An updated version of the tools to perform a PTES-based pen test, including the MSF analysis is available here -- https://github.com/trustedsec/ptf

OSSTMM does have a tool component, but only available from the expensive training. SANS has developed similar criteria to establish testing frameworks through expensive training, but they do have a great GPWN mailing list that is open to the public.

IMO, NIST Special Pubs do not cover pen testing per se, because even SP 800-115 doesn't take into account the complexities necessary to define or organize the best-practice thought around pen testing as performed by Veris Group, Silent Break Security, Mandiant, or similar outfits. The PCI-DSS guidelines go a lot further than what NIST provides, but it is still a bit lackluster -- https://www.pcisecuritystandards.org/documents/Penetration_Testing_Guidance_March_2015.pdf

To answer your question directly, I would say that the pen testing standards you referenced are outdated, while PTES is the commonly-held 2016 worldwide standard. There are also standards for the UK, namely CHECK, CREST and CBEST.

atdre
  • 18,885
  • 6
  • 58
  • 107