Re: Evaluating pentesters

08Apr2010 (UTC +8)

Hiya Tony,

I'd like to add that the OSSTMM is a great tool used for pentesting. I
have benefited from it a great deal because it helped me communicate
with my client as to what pentesting really is in detail, and how it
can specifically help their business. Go through it, and use it to
filter out the wannabees vs the real pentesters that you're looking

Another tool that you may want to use is a specific part of the Common
Criteria. I think the metrics here would be a great tool for your
needs. What can be found below is "AVA_VAN.3 Focused vulnerability
analysis" used for EAL4. I've taken the liberty of translating CC
linggo like TOE, SFR, ETR, to something more easily understood in
context by most people. The results of an evaluation are not given
ambiguous ratings like High / Medium / Low risk ratings, but verdicts
like Pass / Fail / Inconclusive.

The pentest customer shall examine the IT System to determine that the
test configuration is consistent with the configuration under
evaluation as specified in the Security Target (i.e., documented specs
of IT product under evaluation).

The pentest customer shall examine the IT System to determine that it
has been installed properly and is in a known state.

The pentester shall examine sources of information publicly available
to identify potential vulnerabilities in the IT System.

The pentester shall conduct a focused search about the IT product
under evaluation), its guidance documentation, functional
specification, IT System design, security architecture description and
implementation representation to identify possible potential
vulnerabilities in the IT System.

The pentester shall record in the Risk Assessment Report the
identified potential vulnerabilities that are candidates for testing
and applicable to the IT System in its operational environment.

The pentester shall devise penetration tests, based on the independent
search for potential vulnerabilities.

The pentester shall produce penetration test documentation for the
tests based on the list of potential vulnerabilities in sufficient
detail to enable the tests to be repeatable. The test documentation
shall include:

a) identification of the potential vulnerability the IT System is
being tested for;
b) instructions to connect and setup all required test equipment as
required to conduct the penetration test;
c) instructions to establish all penetration test prerequisite initial
d) instructions to stimulate the IT System's Interfaces;
e) instructions for observing the behaviour of the IT System's Interfaces;
f) descriptions of all expected results and the necessary analysis to
be performed on the observed behaviour for comparison against expected
g) instructions to conclude the test and establish the necessary
post-test state for the IT System.

The pentester shall conduct penetration testing.

The pentester shall record the actual results of the penetration tests.

The pentester shall report in the Risk Assessment Report the pentester
penetration testing effort, outlining the testing approach,
configuration, depth and results.

The pentester shall examine the results of all penetration testing to
determine that the IT System, in its operational environment, is
resistant to an attacker possessing an Enhanced-Basic attack

The pentester shall document in the Risk Assessment Report all
exploitable vulnerabilities and residual vulnerabilities, detailing
for each:
a) its source (e.g. evaluation activity being undertaken when it was
conceived, known to the pentester, read in a publication);
b) the Security Functional Requirement(s) not met;
c) a description;
d) whether it is exploitable in its operational environment or not
(i.e. exploitable or residual).
e) the amount of time, level of expertise, level of knowledge of the
IT System, level of opportunity and the equipment required to perform
the identified vulnerabilities, and the corresponding values using the
tables 3 and 4 of Annex B.4 of the Common Methodology for Information
Technology Security Evaluation document (CEMv3.1r3.pdf).

Drexx Laggui -- CISA, CISSP, CFE Associate, ISO27001 LA, CCSI, CSA ( Singapore / Manila / California )
Computer forensics; Penetration testing; QMS & ISMS developers; K-Transfer
PGP fingerprint = 6E62 A089 E3EA 1B93 BFB4 8363 FFEC 3976 FF31 8A4E

This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.