Difference between revisions of "FAQ"

From The Penetration Testing Execution Standard
Jump to navigation Jump to search
 
(14 intermediate revisions by 4 users not shown)
Line 5: Line 5:
'''A''': It is a new standard designed to provide both businesses and security
'''A''': It is a new standard designed to provide both businesses and security
service providers with a common language and scope for performing
service providers with a common language and scope for performing
penetration testing (i.e. Security evaluations).
penetration testing (i.e. Security evaluations). It started early in 2009 following a discussion that sparked between some of the founding members over the value (or lack of) of penetration testing in the industry.


===='''Q''': Who is involved with this standard?====
===='''Q''': Who is involved with this standard?====
Line 12: Line 12:
Vendors). The group currently consists of:
Vendors). The group currently consists of:
*[http://twitter.com/indi303 Chris Nickerson], CEO - [http://www.lares.com Lares Consulting].
*[http://twitter.com/indi303 Chris Nickerson], CEO - [http://www.lares.com Lares Consulting].
*[http://twitter.com/dave_rel1k Dave Kennedy], Director of Information Security - [http://www.secmaniac.com/ blog] Diebold.
*[http://twitter.com/hackingdave Dave Kennedy], CEO - [https://www.trustedsec.com/blog/ blog] [https://www.trustedsec.com/ TrustedSec] .
*[http://twitter.com/chrisjohnriley Chris John Riley], IT Security Analyst - [http://blog.c22.cc blog] Raiffeisen Informatik GmbH.
*[http://twitter.com/chrisjohnriley Chris John Riley], IT Security Analyst - [http://blog.c22.cc blog] Raiffeisen Informatik GmbH.
*[http://twitter.com/infosecmafia Eric Smith], Partner - [http://www.lares.com Lares Consulting].
*[http://twitter.com/infosecmafia Eric Smith], Partner - [http://www.lares.com Lares Consulting].
*[[User:iamit|Iftach Ian Amit]], VP Consulting - [http://www.iamit.org/blog blog] [http://www.security-art.com Security Art].
*[[User:iamit|Iftach Ian Amit]], Director of Services - [http://www.iamit.org/blog blog] [http://www.ioactive.com IOActive].
*[http://www.pentest-standard.org/index.php?title=User:drew Andrew Rabie],  Wizard - [http://www.avon.com/ Avon Products Inc].
*[http://www.pentest-standard.org/index.php?title=User:drew Andrew Rabie],  Wizard - [http://www.avon.com/ Avon Products Inc].
*[http://twitter.com/stfn42 Stefan Friedli], Senior Security Consultant - [http://www.scip.ch scip AG].
*[http://twitter.com/stfn42 Stefan Friedli], Senior Security Consultant - [http://www.scip.ch scip AG].
*[[User:Meeas|Justin Searle]], Senior Security Analyst - [http://www.inguardians.com InGuardians].
*[[User:Meeas|Justin Searle]], Senior Security Analyst - [http://www.inguardians.com InGuardians].
*[http://twitter.com/kaospunk Brandon Knight], Senior Security Engineer - Amazon.
*[http://twitter.com/kaospunk Brandon Knight], Senior Security Consultant.
*[http://twitter.com/carnal0wnage Chris Gates], Senior Security Consultant -  [http://carnal0wnage.attackresearch.com/ blog] Rapid7.
*[http://twitter.com/carnal0wnage Chris Gates], Senior Security Consultant -  [http://carnal0wnage.attackresearch.com/ blog] [http://www.lares.com Lares Consulting].
*[http://twitter.com/j0emccray Joe McCray], CEO - Strategic Security.
*[http://twitter.com/j0emccray Joe McCray], CEO - Strategic Security.
*[http://twitter.com/Carlos_Perez Carlos Perez], Lead Vulnerability Research Engineer - Tenable Security.
*[http://twitter.com/Carlos_Perez Carlos Perez], Lead Vulnerability Research Engineer - Tenable Security.
Line 29: Line 29:
*[http://twitter.com/attackresearch Val Smith] - Attack Research.
*[http://twitter.com/attackresearch Val Smith] - Attack Research.
*[http://twitter.com/digininja Robin Wood], Senior Security Engineer - [http://www.digininja.org/ blog] [http://www.randomstorm.com RandomStorm].
*[http://twitter.com/digininja Robin Wood], Senior Security Engineer - [http://www.digininja.org/ blog] [http://www.randomstorm.com RandomStorm].
*[http://twitter.com/wimremes Wim Remes], Security Consultant - EY Belgium.
*[http://twitter.com/wimremes Wim Remes], Security Consultant - Belgium.
 
 


===='''Q''': So is this a closed group or can I join in?====
===='''Q''': So is this a closed group or can I join in?====
Line 61: Line 59:
===='''Q''': Who is the intended audience for this standard/project?====
===='''Q''': Who is the intended audience for this standard/project?====
'''A''': Two main communities: businesses that require the service, and service providers. For businesses the goal is to enable them to demand a specific baseline of work as part of a pentest. For service providers the goal is to provide a baseline for the kinds of activities needed, what should be taken into account as part of the pentest from scoping through reporting and deliverables.
'''A''': Two main communities: businesses that require the service, and service providers. For businesses the goal is to enable them to demand a specific baseline of work as part of a pentest. For service providers the goal is to provide a baseline for the kinds of activities needed, what should be taken into account as part of the pentest from scoping through reporting and deliverables.
===='''Q''': Is there a mindmap version of the original sections?====
'''A''': Following popular demand, we have _a_ version of the mindmap used when creating the first drafts of the standard available for download [http://iamit.org/docs/Penetration_Testing_Execution_Standard.mm here] (in FreeMind format).

Latest revision as of 15:30, 14 January 2017

Penetration Testing Execution Standard - the FAQ

Q: What is this "Penetration Testing Execution Standard"?

A: It is a new standard designed to provide both businesses and security service providers with a common language and scope for performing penetration testing (i.e. Security evaluations). It started early in 2009 following a discussion that sparked between some of the founding members over the value (or lack of) of penetration testing in the industry.

Q: Who is involved with this standard?

A: We are a group of information security practitioners from all areas of the industry (I.e. Financial Institutions, Service Providers, Security Vendors). The group currently consists of:

Q: So is this a closed group or can I join in?

A: We started this with about 6 people, the first in-person meeting held almost 20. We would love more insight and down-to-earth opinions so if you can contribute please feel free to email us.

Q: Is this going to be a formal standard?

A: We are aiming to create an actual standard so that businesses can have a baseline of what is needed when they get a pentest as well as an understanding of what type of testing they require or would provide value to their business. The lack of standardization now is only hurting the industry as businesses are getting low-quality work done, and practitioners lack guidance in terms of what is needed to provide quality service.

Q: Is the standard going to include all possible pentest scenarios?

A: While we can't possibly cover all scenarios, the standard is going to define a baseline for the minimum that is required from a basic pentest, as well as several "levels" on top of it that provide more comprehensive activities required for organizations with higher security needs. The different levels would also be defined as per the industry in which they should be the baseline for.

Q: Is this effort going to standardize the reporting as well?

A: Yes. We feel that providing a standard for the test without defining how the report is provided would be useless. We will define both executive (business) reporting as well as technical reporting as an integrated part of the standard.

Q: Who is the intended audience for this standard/project?

A: Two main communities: businesses that require the service, and service providers. For businesses the goal is to enable them to demand a specific baseline of work as part of a pentest. For service providers the goal is to provide a baseline for the kinds of activities needed, what should be taken into account as part of the pentest from scoping through reporting and deliverables.

Q: Is there a mindmap version of the original sections?

A: Following popular demand, we have _a_ version of the mindmap used when creating the first drafts of the standard available for download here (in FreeMind format).