Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Penetration Testing Execution Standard

Well, after many months of hard work in the background, we’ve reached that point where it’s time to talk about PTES openly.

PTES (Penetration Testing Execution Standard) is a community driven project designed to clearly define what a penetration test is for both businesses and security service providers. Through a common language and scope for performing penetration tests, we hope to raise the overall quality of testing and really help businesses define what it is they need and expect from a penetration test.

As much as we hate to admit it ourselves, there’s a lot of low-quality testing taking place. Setting a standardized approach to scoping, performing and reporting a penetration test will ultimately help  bring up the level of penetration testing to where it should be (or where we hope it will be).

Now, we can’t hope to cover every eventuality, and we certainly won’t try to tell testers what nmap options to use, but we can try to define the minimum steps and coverage required to really differentiate a vulnerability scan from a penetration test. It may sound silly to some, but businesses don’t know what they’re getting some times… and thinking you’re secure is never a good option!

Currently we’re in pre-alpha stages, so please get involved. Let us know what you think. Comment, discuss, argue… This doesn’t work without a community behind it.

Note: Please take time to read what we’re attempting and look at the mind-map information before starting to flame… The only thing worse than trying and failing, is not trying at all!



6 responses to “Penetration Testing Execution Standard

  1. kB March 5, 2011 at 11:44

    How can community help?

  2. ChrisJohnRiley March 5, 2011 at 12:22

    We’re going to be putting up some information soon on the site so that the community can get involved. Right now we’re hoping to spur discussions…

  3. jcran March 6, 2011 at 04:17

    Looks like a good start at documenting penetration testing from a consultant’s perspective.

    You mention you’re not looking to document which nmap options to run, and i noticed there’s no mention of specific tools. I’m certainly pleased it’s remaining vendor / tool-agnostic, but the current abstraction level leaves it fairly abstract.

    As with any standard, generality (“here’s what to do”) and practicality (“here’s how to do it”) is a tough balance. What’s the ultimate goal for this?

  4. ChrisJohnRiley March 6, 2011 at 10:50

    You’re right that it’s going to be a tricky balance, and I’m sure we’ll have to play with it for a while before we get the right balance.

    The main goal is the get the business and the testers on the same page! Right now there’s so much terminology that it’s hard to really tell what sort of test you’re getting… ans with that, what quality!

    If we go down the avenue of listing techniques and tools, then we have to be careful not to date things. It’s something that we’ll need to play with to give valid examples that help define the requirements without limiting the tester or quickly becoming outdated.

    It’s a long road ahead! Hope you’ll agree to help…

  5. Pingback: Week 9 in Review – 2011 | Infosec Events

%d bloggers like this: