Index
79 | 80 |
81 |
82 |
83 |
84 |
85 |
76 |
77 |
78 |
86 | Here is some of the media releases since the birth of PTES.
83 | 84 | 85 | 87 |Iftach Ian Amit (iiamit) 88 | Blog
89 |Dave Kennedy (ReL1K) 90 | Blog
91 | 92 | 93 | 94 | 95 | 96 | 98 | 100 | 102 | 104 |Source Boston session on 105 | PTES and the video 106 | interview
107 |Fork Disclaimer: Note that this is an unofficial fork, the goal for which is to experiment with an alternative platform for the standard. The official PTES can be located at http://pentest-standard.org/.
89 |The penetration testing execution standard consists of seven (7) main 90 | sections. These cover everything related to a penetration test - from 91 | the initial communication and reasoning behind a pentest, through the 92 | intelligence gathering and threat modeling phases where testers are 93 | working behind the scenes in order to get a better understanding of the 94 | tested organization, through vulnerability research, exploitation and 95 | post exploitation, where the technical security expertise of the testers 96 | come to play and combine with the business understanding of the 97 | engagement, and finally to the reporting, which captures the entire 98 | process, in a manner that makes sense to the customer and provides the 99 | most value to it.
100 |This version can be considered a v1.0 as the core elements of the 101 | standard are solidified, and have been “road tested” for over a year 102 | through the industry. A v2.0 is in the works soon, and will provide more 103 | granular work in terms of “levels” - as in intensity levels at which 104 | each of the elements of a penetration test can be performed at. As no 105 | pentest is like another, and testing will range from the more mundane 106 | web application or network test, to a full-on red team engagement, said 107 | levels will enable an organization to define how much sophistication 108 | they expect their adversary to exhibit, and enable the tester to step up 109 | the intensity on those areas where the organization needs them the most. 110 | Some of the initial work on “levels” can be seen in the intelligence 111 | gathering section.
112 |Following are the main sections defined by the standard as the basis for 113 | penetration testing execution:
114 |As the standard does not provide any technical guidelines as far as how 124 | to execute an actual pentest, we have also created a technical guide to 125 | accompany the standard itself. The technical gude can be reached via the 126 | link below:
127 |For more information on what this standard is, please visit:
131 |' + _('Hide Search Matches') + '
') 239 | .appendTo($('#searchbox')); 240 | } 241 | }, 242 | 243 | /** 244 | * init the domain index toggle buttons 245 | */ 246 | initIndexTable : function() { 247 | var togglers = $('img.toggler').click(function() { 248 | var src = $(this).attr('src'); 249 | var idnum = $(this).attr('id').substr(7); 250 | $('tr.cg-' + idnum).toggle(); 251 | if (src.substr(-9) === 'minus.png') 252 | $(this).attr('src', src.substr(0, src.length-9) + 'plus.png'); 253 | else 254 | $(this).attr('src', src.substr(0, src.length-8) + 'minus.png'); 255 | }).css('display', ''); 256 | if (DOCUMENTATION_OPTIONS.COLLAPSE_INDEX) { 257 | togglers.click(); 258 | } 259 | }, 260 | 261 | /** 262 | * helper function to hide the search marks again 263 | */ 264 | hideSearchWords : function() { 265 | $('#searchbox .highlight-link').fadeOut(300); 266 | $('span.highlighted').removeClass('highlighted'); 267 | }, 268 | 269 | /** 270 | * make the url absolute 271 | */ 272 | makeURL : function(relativeURL) { 273 | return DOCUMENTATION_OPTIONS.URL_ROOT + '/' + relativeURL; 274 | }, 275 | 276 | /** 277 | * get the current relative url 278 | */ 279 | getCurrentURL : function() { 280 | var path = document.location.pathname; 281 | var parts = path.split(/\//); 282 | $.each(DOCUMENTATION_OPTIONS.URL_ROOT.split(/\//), function() { 283 | if (this === '..') 284 | parts.pop(); 285 | }); 286 | var url = parts.join('/'); 287 | return path.substring(url.lastIndexOf('/') + 1, path.length - 1); 288 | }, 289 | 290 | initOnKeyListeners: function() { 291 | $(document).keydown(function(event) { 292 | var activeElementType = document.activeElement.tagName; 293 | // don't navigate when in search box, textarea, dropdown or button 294 | if (activeElementType !== 'TEXTAREA' && activeElementType !== 'INPUT' && activeElementType !== 'SELECT' 295 | && activeElementType !== 'BUTTON' && !event.altKey && !event.ctrlKey && !event.metaKey 296 | && !event.shiftKey) { 297 | switch (event.keyCode) { 298 | case 37: // left 299 | var prevHref = $('link[rel="prev"]').prop('href'); 300 | if (prevHref) { 301 | window.location.href = prevHref; 302 | return false; 303 | } 304 | case 39: // right 305 | var nextHref = $('link[rel="next"]').prop('href'); 306 | if (nextHref) { 307 | window.location.href = nextHref; 308 | return false; 309 | } 310 | } 311 | } 312 | }); 313 | } 314 | }; 315 | 316 | // quick alias for translations 317 | _ = Documentation.gettext; 318 | 319 | $(document).ready(function() { 320 | Documentation.init(); 321 | }); 322 | -------------------------------------------------------------------------------- /source/Reporting: -------------------------------------------------------------------------------- 1 | == Overview == 2 | 3 | This document is intended to define the base criteria for penetration testing reporting. While it is highly encouraged to use your own customized and branded format, the following should provide a high level understanding of the items required within a report as 4 | well as a structure for the report to provide value to the reader. 5 | 6 | == Report Structure == 7 | 8 | The report is broken down into two (2) major sections in order to communicate the objectives, methods, and results of the testing conducted to various audiences. 9 | 10 | == The Executive Summary == 11 | 12 | This section will communicate to the reader the specific goals of the Penetration Test and the high level findings of the testing exercise. The intended audience will be those who are in charge of the oversight and strategic vision of the security program as well as any members of the organization which may be impacted by the identified/confirmed threats. The executive summary should contain most if not all of the following sections: 13 | 14 | '''Background:''' 15 | 16 | The background section should explain to the reader the overall purpose of the test. Details on the terms identified within the Pre Engagement section relating to risk, countermeasures, and testing goals should be present to connect the reader to the overall test objectives and the relative results. 17 | 18 | (Example: (CLIENT) taskedA: It is a new standard designed to provide both businesses and 96 | security service providers with a common language and scope for 97 | performing penetration testing (i.e. Security evaluations). It started 98 | early in 2009 following a discussion that sparked between some of the 99 | founding members over the value (or lack of) of penetration testing in 100 | the industry.
101 |A: We are a group of information security practitioners from all 105 | areas of the industry (I.e. Financial Institutions, Service Providers, 106 | Security Vendors). The group currently consists of:
107 |Dave Kennedy, President/CEO - 111 | blog 112 | TrustedSec .
Chris John Riley, IT Security 114 | Analyst - blog Raiffeisen Informatik GmbH.
Eric Smith, Partner - Lares 116 | Consulting.
Iftach Ian Amit, Director of Services - 118 | blog 119 | IOActive.
Andrew 121 | Rabie, 122 | Wizard - Avon Products Inc.
Stefan Friedli, Senior Security 124 | Consultant - scip AG.
Justin Searle, Senior Security Analyst - 126 | InGuardians.
Brandon Knight, Senior Security 128 | Consultant - SecureState .
Chris Gates, Senior Security 130 | Consultant - blog 131 | Lares Consulting.
Joe McCray, CEO - Strategic 133 | Security.
Carlos Perez, Lead 135 | Vulnerability Research Engineer - Tenable Security.
John Strand, Owner - Black Hills 137 | Information Security.
Steve Tornio, Senior Consultant 139 | - Sunera LLC.
Nick Percoco, Senior Vice President - 141 | SpiderLabs at Trustwave.
Dave Shackelford, Security 143 | Consultant, SANS Instructor.
Val Smith - Attack Research.
Robin Wood, Senior Security 146 | Engineer - blog 147 | RandomStorm.
Wim Remes, Security Consultant - EY 149 | Belgium.
Rick Hayes, Force Practice Lead - 151 | TrustedSec .
A: We started this with about 6 people, the first in-person meeting 157 | held almost 20. We would love more insight and down-to-earth opinions so 158 | if you can contribute please feel free to email us.
159 |A: We are aiming to create an actual standard so that businesses can 163 | have a baseline of what is needed when they get a pentest as well as an 164 | understanding of what type of testing they require or would provide 165 | value to their business. The lack of standardization now is only hurting 166 | the industry as businesses are getting low-quality work done, and 167 | practitioners lack guidance in terms of what is needed to provide 168 | quality service.
169 |A: While we can’t possibly cover all scenarios, the standard is 173 | going to define a baseline for the minimum that is required from a basic 174 | pentest, as well as several “levels” on top of it that provide more 175 | comprehensive activities required for organizations with higher security 176 | needs. The different levels would also be defined as per the industry in 177 | which they should be the baseline for.
178 |A: Yes. We feel that providing a standard for the test without 182 | defining how the report is provided would be useless. We will define 183 | both executive (business) reporting as well as technical reporting as an 184 | integrated part of the standard.
185 |A: Two main communities: businesses that require the service, and 189 | service providers. For businesses the goal is to enable them to demand a 190 | specific baseline of work as part of a pentest. For service providers 191 | the goal is to provide a baseline for the kinds of activities needed, 192 | what should be taken into account as part of the pentest from scoping 193 | through reporting and deliverables.
194 |A: Following popular demand, we have _a_ version of the mindmap 198 | used when creating the first drafts of the standard available for 199 | download 200 | here 201 | (in FreeMind format).
202 |