Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Penetration Testing Execution Standard

Well, after many months of hard work in the background, we’ve reached that point where it’s time to talk about PTES openly.

PTES (Penetration Testing Execution Standard) is a community driven project designed to clearly define what a penetration test is for both businesses and security service providers. Through a common language and scope for performing penetration tests, we hope to raise the overall quality of testing and really help businesses define what it is they need and expect from a penetration test.

As much as we hate to admit it ourselves, there’s a lot of low-quality testing taking place. Setting a standardized approach to scoping, performing and reporting a penetration test will ultimately help  bring up the level of penetration testing to where it should be (or where we hope it will be).

Now, we can’t hope to cover every eventuality, and we certainly won’t try to tell testers what nmap options to use, but we can try to define the minimum steps and coverage required to really differentiate a vulnerability scan from a penetration test. It may sound silly to some, but businesses don’t know what they’re getting some times… and thinking you’re secure is never a good option!

Currently we’re in pre-alpha stages, so please get involved. Let us know what you think. Comment, discuss, argue… This doesn’t work without a community behind it.

Note: Please take time to read what we’re attempting and look at the mind-map information before starting to flame… The only thing worse than trying and failing, is not trying at all!



6 responses to “Penetration Testing Execution Standard

  1. jcran March 9, 2011 at 20:21

    definitely agree there’s a ton of work to do w/ terminology and concepts alone, and i’m happy to help. just signed up 🙂

%d bloggers like this: