Firms depend heavily on IT. They increasingly engage security professionals. A typically demanded service is the security analysis of their information systems, also known as a penetration test. Pentest-standard.org is a valuable initiative that provides both security vendors and their customers with one common "pen testing" language and scope, as you can read in their FAQ section.
Key players such as Chris Nickerson , Dave Kennedy , Chris John Riley , Carlos Perez and Wim Remes, among many others, have contributed to make pentest-standard.org a necessary go-to site for security pen testers. First thought of in 2009 and created in 2010, the site has had over 1800 content reviews and it continues evolving. Pentest-standard.org uses a handy wiki format and it welcomes contributions from the community via either the corresponding Linkedin group or a PDF-based collaboration site powered by Adobe.
I highlight two components of this site:
- The seven pen-testing execution stages: Each of them starts off with a valuable mind map that could very well be the script to follow in a formal pen-testing engagement. Non-technical, but pivotal, elements such as scoping and payment methods are also present.
- The technical guidelines: An excellent compilation of links and tools, both free and commercial software, required for each of the pen-test phases.
Finally , I would like to thank everyone involved in this "pen-testing vademecum" and invite the Infosec community to contribute. A revealing question would be: How much of what you can read in pentest-standard.org do you already know?
A version of this post in Spanish is available here.
A nice tool to fly ... and to pen test? |