Penetration Testing

IEEE Standard for Software Test

Penetration Testing Internet Security Whitepapers

The purpose of this standard is to describe a set of basic software test documents. A standardized test document can facilitate communication by providing a common frame of reference (e.g., a customer and a supplier have the same deÞnition for a test plan). The content deÞnition of a standardized test document can serve as a completeness checklist for the associated testing process. A standardized set can also provide a baseline for the evaluation of current test documentation practices. In many organizations, the use of these documents signiÞcantly increases the manageability of testing. Increased manageability results from the greatly increased visibility of each phase of the testing process.

Open-Source Security Testing Methodology Manual (OSSTMM 2.1)

Penetration Testing Internet Security Whitepapers

This manual is a combination of ambition, study, and years of experience. The individual tests themselves are not particularly revolutionary, but the methodology as a whole does represent the benchmark for the security testing profession. And through the thoroughness of its application you will find a revolutionary approach to testing security. This manual is a professional standard for security testing in any environment from the outside to the inside. As a professional standard, it includes the rules of engagement, the ethics for the professional tester, the legalities of security testing, and a comprehensive set of the tests themselves. As security testing continues to evolve into being a valid, respected profession, the OSSTMM intends to be the professional’s handbook.

Open-Source Security Testing Methodology Manual (OSSTMM 2.2)

Penetration Testing Internet Security Whitepapers

This manual is a combination of ambition, study, and years of experience. The individual tests themselves are not particularly revolutionary, but the methodology as a whole does represent the benchmark for the security testing profession. And through the thoroughness of its application you will find a revolutionary approach to testing security. The objective of this manual is to create one accepted method for performing a thorough security test. Details such as the credentials of the security tester, the size of the security firm, financing, or vendor backing will impact the scale and complexity of our test – but any network or security expert who meets the outline requirements in this manual will have completed a successful security profile. You will find no recommendation to follow the methodology like a flowchart. It is a series of steps that must be visited and revisited (often) during the making of a thorough test.

Penetration Testing

Penetration Testing Internet Security Whitepapers

Near flawless penetration testing is a requirement for highrated secure systems — those rated above B1 based on the Trusted Computer System Evaluation Criteria (TCSEC) and its Trusted Network and Database Interpretations (TNI and TDI). Unlike security functional testing, which demonstrates correct behavior of the product’s advertised security controls, penetration testing is a form of stress testing which exposes weaknesses — that is, flaws — in the trusted computing base (TCB). This essay describes the Flaw Hypothesis Methodology (FHM), the earliest comprehensive and widely used method for conducting penetrations testing.

Penetration Testing Model

Penetration Testing Internet Security Whitepapers

This study on "A Penetration Testing Model" addresses the use of penetration testing in security relevant IT systems. The security of systems that are linked to public networks can be compromised by unauthorized, and usually anonymous, attempts to access them. This situation calls for test methods that are devised from the attacker’s perspective to ensure that test conditions are as realistic as possible. This study is aimed at businesses and institutions which offer, or are planning to offer, penetration tests. It presents a structured approach to penetration testing that facilitates -and can ensure -the efficient and focused performance of such tests. The study is also designed to provide assistance with selection criteria to decision-makers in private and public entities who are planning to commission a penetration test.

Risk Management Guide for Information Technology Systems

Penetration Testing Internet Security Whitepapers

An effective risk management process is an important component of a successful IT security program. The principal goal of an organization’s risk management process should be to protect the organization and its ability to perform their mission, not just its IT assets. Therefore, the risk management process should not be treated primarily as a technical function carried out by the IT experts who operate and manage the IT system, but as an essential management function of the organization. Risk is the net negative impact of the exercise of a vulnerability, considering both the probability and the impact of occurrence. Risk management is the process of identifying risk, assessing risk, and taking steps to reduce risk to an acceptable level. This guide provides a foundation for the development of an effective risk management program, containing both the definitions and the practical guidance necessary for assessing and mitigating risks identified within IT systems. The ultimate goal is to help organizations to better manage IT-related mission risks.

Software Penetration Testing

Penetration Testing Internet Security Whitepapers

Quality assurance and testing organizations are tasked with the broad objective of assuring that a software application fulfills its functional business requirements. Such testing most often involves running a series of dynamic functional tests to ensure proper implementation of the application’s features. However, because security is not a feature or even a set of features, security testing doesn't directly fit into this paradigm.