Top Penetration Testing Methodologies (and How They Work)

Penetration Testing Methodologies Featured Image

In the world of offensive cyber security, there are almost unlimited ways you can approach a penetration test, whether internal, external, or wireless. However, it can be difficult for you to conduct thorough, repeatable penetration tests due to the sheer volume of important aspects to hit on when conducting the test.

Because of this, multiple penetration testing frameworks have emerged to help you work through the various tests they might be tasked with. In this article, we will discuss the various penetration testing frameworks you might benefit from during your next pentest.

Why Use a Penetration Testing Methodology?

Due to the wide variety of penetration tests and technologies targeted, it can be exceptionally difficult to provide a consistent product as an offensive security practitioner. As an offensive security practitioner, a penetration testing methodology allows you to standardize your test(s) into repeatable, consistent approaches. However, not all penetration testing methodologies are focused on the same types of tests, so let’s break down the top testing frameworks.

Open Web Application Security Project (OWASP) Testing Guide

Open Web Application Security Project  Banner Image

Who Designed This Methodology

The Open Web Application Security Project (OWASP) Foundation is a nonprofit, community-driven organization that tracks and publishes the most up-to-date web application security risks, vulnerabilities, and penetration testing methodologies.

What Is This Method’s Purpose

The OWASP testing guide focuses primarily on web applications and their related technologies. It provides web application testers with a step-by-step guide on targeting vulnerabilities across many avenues.

What Are the Steps

The OWASP testing guide’s overarching steps include the following:

  • Information Gathering
  • Configuration and Deployment Management Testing
  • Identity Management Testing
  • Authentication Testing
  • Authorization Testing
  • Session Management Testing
  • Input Validation Testing
  • Testing for Error Handling
  • Testing for Weak Cryptography
  • Business Logic Testing
  • Client-side Testing
  • API Testing
  • Reporting

When Should I Use This Methodology

OWASP is considered the golden standard for any and all types of web application penetration tests. Organizations can benefit from following the OWASP guide during a web application’s development lifecycle to ensure security is baked into the application's configurations.

What Makes This Methodology Worth Knowing

The comprehensive approach to web application testing gives the OWASP guide a significant advantage over other penetration testing methodologies when a test focuses on web applications. This is especially useful when ensuring that your web applications are safe for your customers and clients and for auditing and security assessments.

Additionally, OWASP offers additional projects and guides for the community. The OWASP Top 10 is the OWASP Foundation’s annually updated list of the top 10 security vulnerabilities currently affecting the web application landscape. OWASP also maintains projects like SAMM, guidelines for secure coding, OWASP Mobile Application Security (a testing guide for mobile apps), and OWASP Zed Application Proxy (an open-source web application scanner).

Penetration Testing Execution Standard (PTES)

Penetration Testing Execution Standard Banner Image

Who Designed This Methodology

Penetration Testing Execution Standard (PTES) is an open-source framework to standardize penetration tests. PTES is community-driven by industry-leading security practitioners, giving it a wide range of applicability to different testing projects.

What Is This Method’s Purpose

PTES’s main purpose is to give testers a systematic process to identify and test security vulnerabilities and how to mitigate those risks appropriately.

What Are the Steps

PTES has seven primary phases within its framework:

  • Pre-engagement interactions
  • Information Gathering
  • Threat Modeling
  • Vulnerability Analysis
  • Exploitation
  • Post Exploitation
  • Reporting

When Should I Use This Methodology

PTES can be used for internal, external, and wireless penetration testing within an environment. Its focus on information gathering and threat modeling can allow an organization to customize its penetration tests to address its specific infrastructure, which can provide highly beneficial results.

What Makes This Methodology Worth Knowing

The structured and comprehensive approach to penetration testing helps you cover all necessary aspects of their assessment. PTES also provides a systematic methodology that can provide standardization amongst tests should your organization establish penetration testing as a regular security measure.

NIST Special Publication 800-115

NIST Special Publication 800-115 Banner Image

Who Designed This Methodology

The National Institute of Standards and Technology (NIST) is a U.S. government agency that promotes technology standards and guidelines from offensive and defensive perspectives. NIST Special Publication 800-115 is one guideline covering proper penetration testing from engagement setup to post-testing activity.

What Is This Method’s Purpose

NIST Special Publication 800-115 guides testers through a comprehensive and thorough security assessment of an organization’s environment. It outlines testing methodologies and different techniques to test security controls.

What Are the Steps

Its steps include:

  • Planning and Preparation
  • Execution of Tests
  • Analysis and Reporting
  • Risk-Based Approach
  • Integration with Risk Management

When Should I Use This Methodology

NIST SP 800-115 can particularly benefit your organization when the goal of a security test aims to satisfy compliance or regulatory requirements. Often formal audits refer to NIST when evaluating an organization, and utilizing SP 800-115 can proactively address any issues that might arise during an audit.

What Makes This Methodology Worth Knowing

NIST SP 800-115 is widely recognized in the cyber security industry and by international governments as a good baseline for security best practices. Being familiar with these guidelines and even testing against them can provide a solid foundation for your organization's security posture.

ISSAF Penetration Testing Framework

ISSAF Penetration Testing Framework Banner image

Who Designed This Methodology

The ISSAF Penetration Testing Framework was spearheaded by the OISSG organization. Although it is no longer directly supported or maintained, it offers a valid overarching approach to penetration testing.

What Is This Method’s Purpose

The ISSAF framework aims to provide testers with a thorough methodology for identifying vulnerabilities, testing them, and cleaning up any artifacts left post-test.

What Are the Steps

ISSAF breaks down its penetration steps into three distinct phases, each with a certain list of steps. These include:

Phase 1: Planning and Preparation

  • Communication with stakeholders and testing team(s)
  • Identify scope and methodology
  • Agreement on testing use cases and escalation paths.

Phase 2: Assessment

  • Information Gathering
  • Network Mapping
  • Vulnerability Identification
  • Penetration
  • Initial Access and Privilege Escalation
  • Post-Exploitation
  • Covering of Tracks

Phase 3: Reporting, Clean-Up, and Artifact Destruction

  • Report Writing
  • Removal of Penetration Testing Toolkits
  • Deletion of Post-Exploitation Artifacts (Files/Directories)

When Should I Use This Methodology

Along with other penetration testing frameworks, ISSAF can be used to assess the security of your organization's environment. However, ISSAF is particularly useful after significant changes to existing systems as it emphasizes cleaning up artifacts left behind to ensure systems are still safe to remain up and running during and after the assessment.

ISSAF also offers a unique layout of penetration tests by breaking down the steps into a phased approach; this could be easier to follow the guide if you enjoy that type of breakdown.

What Makes This Methodology Worth Knowing

ISSAF’s identification of different testing layers to be addressed during a penetration test can provide you with a well-structured approach throughout the assessment. It can also help ensure networks remain secure even after a robust penetration test.

CREST Penetration Testing Methodology

CREST Penetration Testing Methodology Banner Image

Who Designed This Methodology

The CREST group designed the CREST Penetration Testing Methodology (CPTM); CREST stands for the Council of Registered Ethical Security Testers. This nonprofit, international organization provides training and guidance for penetration testing, both internal and external.

What Is This Method’s Purpose

CPTM was designed to provide a standard and comprehensive approach to penetration tests, particularly for CREST Registered Penetration Testers. It can guide you through thorough assessments of both networks and applications.

What Are the Steps

CREST’s penetration testing methodology includes the following steps:

  • Pre-engagement
  • Intelligence Gathering
  • Threat Modeling
  • Vulnerability Analysis
  • Exploitation
  • Post-Exploitation
  • Reporting
  • Review

When Should I Use This Methodology

CPTM can provide solid penetration testing guidance for internal, external, and wireless tests, which do not get much focus within other penetration testing methodologies.

What Makes This Methodology Worth Knowing

CREST is a well-known security organization, especially in the international space, which gives it a wide breadth of influence within the cyber security space. Testing your organization’s environment against the CREST standard can provide a solid foundation against future security audits.

MITRE’s Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK)

MITRE’s Adversarial Tactics, Techniques, and Common Knowledge Banner Image

Who Designed This Methodology

The MITRE Corporation has provided the ethical hacking world abundant support for years, and its Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework is arguably the most famous. MITRE ATT&CK breaks down current and previous offensive security attacks all the way from reconnaissance to post-exploitation.

What Is This Method’s Purpose

MITRE ATT&CK was designed to provide a comprehensive and structured model for understanding adversarial tactics and techniques. Additionally, it allows for accurate categorization of different attacks to better understand attack kill chains.

What Are the Steps

The MITRE ATT&CK framework is unique as it doesn’t follow laid-out steps like other methodologies. Instead, it functions more as a matrix of information that covers a vast number of stages that a cyber attack might go through when impacting an organization.

When Should I Use This Methodology

You can utilize MITRE ATT&CK as a reference point during each attack phase of a penetration test. The ability to reference specific attack techniques, employ unfamiliar tactics, or explore additional attack options allows you to conduct truly comprehensive assessments.

What Makes This Methodology Worth Knowing

MITRE ATT&CK can provide penetration testers, especially red teamers, with extremely detailed knowledge of different attack types. This can allow penetration testers to test against more niche techniques that might be overlooked during other testing types. Its relatively new MITRE D3FEND framework also provides guidance to the blue side of the cyber world.

OSSTMM Open-Source Security Testing Methodology Manual

OSSTMM Open-Source Security Testing Methodology Manual Banner Image

Who Designed This Methodology

The OSSTMM Open-Source Security Testing Methodology Manual was developed by the Institute for Security and Open Methodologies (ISECOM). OSSTMM was developed to be holistic, quantitative, transparent, and educational.

What Is This Method’s Purpose

Although OSSTMM provides guidance to conduct structured and standardized security assessments, OSSTMM focuses on producing workable metrics post-test. This can give you a great jump-off point to provide your organization with meaningful post-test reports and recommendations.

What Are the Steps

OSSTMM has a framework of:

  • Pre-Engagement
  • Intelligence Gathering
  • Threat profiling
  • Vulnerability Analysis
  • Exploitation
  • Post-Exploitation
  • Analysis and Reporting

When Should I Use This Methodology

You can use OSSTMM as guidance to conduct a structured, complete penetration test. Additionally, OSSTMM can be especially beneficial when the goal of the test is to provide detailed findings report(s) for your organization to conduct thorough post-test activity.

What Makes This Methodology Worth Knowing

The emphasis on ethics, measurements, and metrics gives you a solid foundation of trust between your testing team and your organizational stakeholders. This can be particularly important should your team be external/third-party based. OSSTMM also has guidance on physical security and can greatly benefit engagements that involve that type of activity.

Conclusion

Following a penetration testing methodology provides you with a form of standardization that is incredibly important to continue practicing offensive techniques within your organization. A methodology can also keep you from missing critical tests or areas due to the many different activities involved in a penetration test.

MethodBenefits
OWASP Testing Guide
  • Designed specifically for WebApp
  • Step-by-step guide
  • Can be applied during the development lifecycle
PTES
  • Complete Methodology
  • Customizable
NIST 800-115
  • Designed by US government
  • Recognized by international governments
  • Aims to satisfy regulatory compliance/requirements
ISSAF
  • Phased approach can provide clearer guidance when customizing
  • Strong emphasis on cleaning up artifacts and restoring systems
CREST
  • CREST is highly recognized and respected internationally
  • Can take an exam to become a CREST Registered Penetration Tester
MITRE
  • A highly comprehensive matrix of attack techniques
  • Especially useful for red team engagements
OSSTMM
  • Emphasizes ethics, measurements, and metrics
  • Guidance on physical security

No matter which methodology works best for your organization, a penetration testing methodology can provide a solid foundation for any tester. If you want to learn more about penetration testing, please consider the following!

Frequently Asked Questions

Level Up in Cyber Security: Join Our Membership Today!

vip cta image
vip cta details
  • StationX Team

    We are a UK-based cyber security training and career development platform established in 1999. We have over 500,000 students in 195 countries. We empower the next generation of professionals to reach their highest career potential.

>