Every process has its own standards that need to follow to get better outcomes or results. Similarly, penetration testing has its own standards to follow. These standards defines the Methodology and measures that need to be taken before conducting the test
What is penetration testing standards?
Penetration testing standards are techniques generally set forth in published materials that attempt to protect the cyber-environment of a user or organization. This environment includes users themselves, networks, devices, all software, processes, information in storage or transit, applications, services, and systems that can be connected directly or indirectly to networks.
The principal objective is to reduce the risks, including prevention or mitigation of cyber-attacks. These published materials consist of collections of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance, and technologies.
Why penetration testing standards?
- Penetration Testing Standard is a bridge that provides both businesses and security service providers with a common language and scope for performing penetration.
- It is a specific set of methodology from which process gets easier
- Security service gets better relating to quality
- can Identify the errors easily relating to penetration testing processes
- reduce time-Consuming and traceable process
STANDARDS FOR PENETRATION TESTING
Types of standards in penetration testing are
<img class=”alignnone size-full wp-image-4235″ src=”http://briskinfosec.com/wp-content/uploads/2017/03/5.png” alt=”5″ width=”192″ height=”132″ />
The Open Web Application Security Project (OWASP) is a worldwide not-for-profit charitable organization focused on improving the security of software. OWASP is in a unique position to provide impartial, practical information about AppSec to individuals, corporations, universities, government agencies and other organizations worldwide.
It is a new standard designed to provide both businesses and security service providers with a common language and scope for performing penetration testing (i.e. Security evaluations). It started early in 2009 following a discussion that sparked between some of the founding members over the value (or lack of) of penetration testing in the industry
The SANS Institute programs now reach more than 165,000 security professionals around the world. A range of individuals from auditors and network administrators to chief information security officers are sharing the lessons they learn and are jointly finding solutions to the challenges they face.
Open Source Security Testing Method Manual (OSSTMM) is about operational security. It is about knowing and measuring how well security works. This methodology will tell you if what you have does what you want it to do and not just what you were told it does.
National Institute of Standards and Technology (NIST) part of the U.S. Department of Commerce. NIST is one of the nation’s oldest physical science laboratories. Congress established the agency to remove a major challenge to U.S. industrial competitiveness at the time
The PCI Security Standards Council touches the lives of hundreds of millions of people worldwide. A global organization, it maintains, evolves and promotes Payment Card Industry standards for the safety of cardholder data across the globe
Using ISO 27001 of standards will help your organization manage the security of assets such as financial information, intellectual property, employee details or information entrusted to you by third parties.
ISO/IEC 27001 is the best-known standard in the family providing requirements for an information security management system (ISMS)
Health Insurance Portability and Accountability Act (HIPAA) is a standard used in U.S.A. to provide better health. HIPAA is for the Protection of Electronic Protected Health Information establish a national set of security standards for protecting certain health information that is held or transferred in electronic form.
Does Every Penetration testing has same standards?
No! Penetration Testing standards varies according to the Areas of Penetration testing
|Areas Of penetration Testing||Standards|
|WEB application and Website||OWASP, PTES, SANS, NIST, OSSTMM, ISO27001, PCI DSS, HIPAA|
|Mobile||NCDRC-MAST, OWASP, OSSTMM|
|ENTREPRISE Applications||OWASP, PTES, SANS, NIST, OSSTMM, ISO27001, PCI DSS, HIPAA|
|API||OWASP, PTES, SANS, NIST, OSSTMM, ISO27001, PCI DSS, HIPAA|
|Network||PTES, SANS, NIST, PCI DSS, ISO27001, HIPAA|
|Server||PTES, SANS, NIST, PCI DSS, ISO27001, HIPAA|
|Router||PTES, SANS, NIST, PCI DSS, ISO27001,|
|Wireless||PTES, SANS, NIST, PCI DSS, ISO27001|