10

I'm interested less in the tools of the trade (there are many questions here already about that), and I am interested more in the process by which you would go about using those tools. So for instance, OWASP has the following testing guide:

https://www.owasp.org/index.php/OWASP_Testing_Guide_v3_Table_of_Contents

Do you have similar go-to guides, where you will move from A-Z though the list, testing for exploits, or do you consider a great deal of the process to be of a "non-disclosure" sort?

AviD
  • 72,708
  • 22
  • 137
  • 218

4 Answers4

6

The OWASP guide is the closest thing to a defined methodology, most testers operate using gut feel and experience imho. I like that OWASP methodology, but I do think it misses a big chunk of testing around application logic flaws.

If you are looking for a starting point to develop your own internal methodology, take the OWASP one, remove areas that are not relevant to your testing, and adapt it.

I believe that the Penetration Testing Execution Framework (PTES) will be one to watch. It is still early days, but I look forward to seeing what the output of that project is. This can be found at http://www.pentest-standard.org

Andrew
  • 161
  • 1
  • 4
2

I don't think there is a non-disclosure-ness to it, but moreso there just isn't a set process.

All applications are different so part of it is just feeling around to see what moves and what doesn't.

Steve
  • 15,215
  • 3
  • 38
  • 66
  • Wouldn't security audit firms have some sort of process though? –  Jul 13 '11 at 20:36
  • 1
    @Brian - security firms would have dozens of processes that would be combined as needed based on what is being secured. – Justin C Jul 13 '11 at 20:51
2

Organisations do have procedures for these, but they are very high level - and each stage can change dramatically dependent on what is discovered, and on the purpose of the test.

See my answer over here for a bit of detail based on the following sequence, which is one of a number of possible procedures:

  • Discovery
  • Vulnerability Scan
  • Vulnerability Assessment
  • Security Assessment
  • Penetration Test
  • Security Review
Rory Alsop
  • 61,474
  • 12
  • 117
  • 321
1

Typically for an web application penetration test a step by step process is little hard to draft and follow. Most of the webapp pentester (including myself!) I have encountered with have their steps / ways of doing a scan. Everyone has their own way of approaching a test. This is because for webapp pentest you try to find out known classes of vulnerabilities in "unknown" pieces of code. Whereas in network testing you find out known classes in known piece of code. Having said that bodies like OWASP and WASC have drafted webapp vulnerability classes and a good testing methodology that should ideally cover most of the scenarios. I think WASC coverage is appreciable in business logic and several other complex vulnerabilities. You can also check out ISSAF guide 0.2.1B (Sec T to Sec Y). This is also pretty useful and I seldom refer to this along with OWASP testing guide while carrying out pentest.

RudraK
  • 87
  • 3