Re: Pentesting Methodology/Framework



Hi Kurt,

The ISSAF seems rather broad, but suffers from a lack of depth and
maturity. However, it is free and if you are just trying to decide what
tests you should perform on your organization, this is a great way to
build a skeleton of sorts. The latest version of the ISSAF is v0.2 to my
knowledge. This should give you an indication of its maturity. However,
I'm intrigued to see what future versions will be like.

I must admit that I don't know what's in the latest OSSTMM, mainly
because I'm not interested in paying for a pen testing methodology. That
said, having read the earlier OSSTMM document (which is now free) I was
satisfied with its quality overall, though disappointed with its
outdated nature and wished that this, too, was free. Latest version is
v3.0 and the latest free version is v2.2, IIRC.

You may also want to look for Foundstone's "hacker methodology" document
(I have only been able to locate outlines, not the full methodology) for
a rudimentary structure.

Optionally, for a basic structure with some more detail, you may wish to
refer to NIST 800-115.

Hope this helps!
--
Daniel Crowley, CICP, GCIH
Technical Specialist
Core Security Technologies
Direct: +1 (617) 695-1151
Fax: +1 (617) 399-6987

"One machine can do the work of fifty ordinary men. No machine can do
the work of an extraordinary man." - Elbert Hubbard


On 11/8/2010 8:48 PM, Kurt M.D. John wrote:
Hey guys,

What are your thoughts on Information System Security Framework (ISSF) vs.
Open Source Security Testing Methodology Manual (OSSTMM)?


Thanks,

Kurt M. D. John, CISA, C|EH, CPT



------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------