Re: Pentest Criteria

From: TAS <p0wnsauc3@xxxxxxxxx>
Date: Sun, 5 Sep 2010 12:27:26 +0530

Porbably SANS. But I am not very sure if that really fits into "best
practice which lends itself to pentests" thing. If you are looking at
classification of the vulnerabilities than OWASP and WASC are ready
references.

TAS

On 2 September 2010 01:12, Kurt M. John <kurt.md.john@xxxxxxxxx> wrote:

Hey guys,

Another question for you. Usually when we do pentests for our clients we
report our findings and recommendations. We've never had to report the
criteria our findings/vulnerabilities are based on as well. By criteria
I mean industry standards or best practices, e.g., NIST 800_53, CoBIT,
etc.

What if a client wants criteria reported as well. I'm not sure if there
is one I can use without running the risk of it being too far removed.
Is there a frame work or best practice which lends itself to pentests?
Or do I have to try to layer NIST on top of it

Thoughts?

Thanks guys.

Kurt M. John, CISA, C¦EH, CPT

Sent from my HTC on the Now Network from Sprint!

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

Follow-Ups:
- Re: Pentest Criteria
  - From: Pete Herzog

References:
- Pentest Criteria
  - From: Kurt M. John

Prev by Date: Arachni v0.1 released
Next by Date: Re: Pentest Criteria
Previous by thread: Pentest Criteria
Next by thread: Re: Pentest Criteria
Index(es):
- Date
- Thread

Relevant Pages

Re: University plan
... As for where i would like to study, it doesn't really matter as long ... you want to be in the daily practice of computer ... universities with CIRTs, summer hires with the government, or internships ... Information Assurance Certification Review Board ...
(Pen-Test)
Re: Data in transit (with a twist)...
... I need some best practice controls, ideally in the form of a best practice ... The risks are obvious. ... relation to the backup media, as well as the integrity and confidentiality ... Information Assurance Certification Review Board ...
(Pen-Test)
Re: OSCP ?
... exploits and practice other chapters covered in the course. ... Information Assurance Certification Review Board ... IACRB CPT and CEPT certs require a full practical ... IACRB CPT and CEPT certs require a full practical examination in order to become certified. ...
(Pen-Test)
Re: SQL passwords
... Practice Lead | Security Assessments & Digital Forensics ... where we could export the password hashes directly from our SQL ... Information Assurance Certification Review Board ... Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. ...
(Pen-Test)
Re: IIS5 Null.Printer vulnerability exploitation tool
... The PoC tool for IIS5 Null.Printer Buffer Overflow vulnerability can ... Practice Lead | Security Assessment & Digital Forensics ... Comprehensive Information Security Training ... Information Assurance Certification Review Board ...
(Pen-Test)