Can you explain what are the methodologies of penetration testing?
Penetration testing can be determined as a legal and approved attempt to establish and successfully utilize computer systems for the objective of creating those systems more secure. The method involves examining of vulnerabilities as well as providing evidence to describe the vulnerabilities are genuine. Accurate penetration testing consistently ends with definite suggestions for fixing the problem that was detected during the test. Altogether, this process is used to help for defending computers and networks from future attacks.
There are many methodologies that can be followed to conduct a pen test such as OSSTMM, OWASP, ISAF, PTES, and Kali Linux
- It contains of 6 phases.
- It subsists of test module for each area.
The following are the phases of OSSTMM:
- Information security testing.
- Process security testing.
- Internet technology security testing.
- Communications security testing.
- Wireless security testing
- Physical security testing
The first phase of this method involves testing of issues relevant to information. This methodology is mainly focused on the high-level description of the testing process unconcerned of management of pen testing. OWASP stands for an open web application security project.
- It contains of 5 phases.
- It consists of a software development life cycle (SDLC) framework.
The following are the phases of OWASP:
- Information gathering.
- Configuration management testing.
- Authentication testing.
- Session management testing.
- Authorization testing.
The first phase involves the gathering of information which applies to the target system. This methodology does not focus on management of penetration test and mainly concerned with technical and high-level description of the testing. ISAF stands for the information system security assessment framework.
- It includes of 9 phases.
- It consists of testing standards for each domain which reflects actual scenarios.
The following are the phases of ISAF:
- Information gathering.
- Network mapping.
- Vulnerability identification.
- Gaining access and privilege escalation.
- Enumerating further.
- Compromise remote users/ sites.
- Maintaining access.
- Cover the track.
- The first phase involves gathering information to analyze the system’s weakness.
- It partially focuses on management of penetration testing and mainly focuses on the technical and high-level description of the testing process.