Difference between revisions of "Main Page"

From The Penetration Testing Execution Standard
Jump to navigation Jump to search
(disclaimer add)
 
(11 intermediate revisions by 2 users not shown)
Line 1: Line 1:
Welcome to the Penetration Testing Execution Standard homepage. This will be the ultimate home for the penetration testing execution standard.
For more information on what this standard is, please visit:
*[[FAQ|The Penetration Testing Execution Standard: FAQ]]


===High Level Organization of the Standard===
===High Level Organization of the Standard===
*Note: This is a PRE ALPHA RELEASE. We have had TONSof interest from many members of the security community to help out and we wanted to show where we were at. This effort has been going on since November 2010 and has had over 1800 revisions. The links below are a basic view into where we are at today. As you will notice, the map has some branches that are not fully expanded as well as some basic information left out.
The penetration testing execution standard consists of seven (7) main sections. These cover everything related to a penetration test - from the initial communication and reasoning behind a pentest, through the intelligence gathering and threat modeling phases where testers are working behind the scenes in order to get a better understanding of the tested organization, through vulnerability research, exploitation and post exploitation, where the technical security expertise of the testers come to play and combine with the business understanding of the engagement, and finally to the reporting, which captures the entire process, in a manner that makes sense to the customer and provides the most value to it.
 
What we are looking for out of this release:
 
-Gain help from people who understand the direction of the map and will be willing to document the methods used to carry out the tasks identified in the branches
 
-Take feedback and comments form the community on improvements
 
-Identify a timeline for the full standard creation
 
-Create teams to tackle writing our the formal standard
 
-Create tools to address the gaps identified during the creation of the Standard
 
-And most of all, put an end to the poorly defined term Penetration Test!
 
Not all of these sections will survive the cuts after this round and there are many changes to come:
 
-Added Content
-Weighting system
-Grading Structure
-Sample contracts
-Sample deliverables
-PTES Adaptive Strength questionnaire
-tons more...
 
Hope you enjoy...
-Nickerson


This version can be considered a v1.0 as the core elements of the standard are solidified, and have been "road tested" for over a year through the industry. A v2.0 is in the works soon, and will provide more granular work in terms of "levels" - as in intensity levels at which each of the elements of a penetration test can be performed at. As no pentest is like another, and testing will range from the more mundane web application or network test, to a full-on red team engagement, said levels will enable an organization to define how much sophistication they expect their adversary to exhibit, and enable the tester to step up the intensity on those areas where the organization needs them the most. Some of the initial work on "levels" can be seen in the intelligence gathering section.


Following are the main sections defined by the standard as the basis for penetration testing execution:
Following are the main sections defined by the standard as the basis for penetration testing execution:
*[[Pre-engagement|Pre-engagement Interactions]]
*[[Pre-engagement|Pre-engagement Interactions]]
*[[Intelligence_Gathering|Intelligence Gathering]]
*[[Intelligence_Gathering|Intelligence Gathering]]
*[[Threat_Modelling|Threat Modelling]]
*[[Threat_Modeling|Threat Modeling]]
*[[Vulnerability_Analysis|Vulnerability Analysis]]
*[[Vulnerability_Analysis|Vulnerability Analysis]]
*[[exploitation|Exploitation]]
*[[exploitation|Exploitation]]
*[[Post_Exploitation|Post Exploitation]]
*[[Post_Exploitation|Post Exploitation]]
*[[reporting|Reporting]]
*[[reporting|Reporting]]
As the standard does not provide any technical guidelines as far as how to execute an actual pentest, we have also created a technical guide to accompany the standard itself. The technical gude can be reached via the link below:
*[[PTES_Technical_Guidelines | Technical Guidelines]]
For more information on what this standard is, please visit:
*[[FAQ|The Penetration Testing Execution Standard: FAQ]]

Latest revision as of 20:14, 16 August 2014

High Level Organization of the Standard

The penetration testing execution standard consists of seven (7) main sections. These cover everything related to a penetration test - from the initial communication and reasoning behind a pentest, through the intelligence gathering and threat modeling phases where testers are working behind the scenes in order to get a better understanding of the tested organization, through vulnerability research, exploitation and post exploitation, where the technical security expertise of the testers come to play and combine with the business understanding of the engagement, and finally to the reporting, which captures the entire process, in a manner that makes sense to the customer and provides the most value to it.

This version can be considered a v1.0 as the core elements of the standard are solidified, and have been "road tested" for over a year through the industry. A v2.0 is in the works soon, and will provide more granular work in terms of "levels" - as in intensity levels at which each of the elements of a penetration test can be performed at. As no pentest is like another, and testing will range from the more mundane web application or network test, to a full-on red team engagement, said levels will enable an organization to define how much sophistication they expect their adversary to exhibit, and enable the tester to step up the intensity on those areas where the organization needs them the most. Some of the initial work on "levels" can be seen in the intelligence gathering section.

Following are the main sections defined by the standard as the basis for penetration testing execution:

As the standard does not provide any technical guidelines as far as how to execute an actual pentest, we have also created a technical guide to accompany the standard itself. The technical gude can be reached via the link below:

For more information on what this standard is, please visit:

Retrieved from "http://www.pentest-standard.org/index.php?title=Main_Page&oldid=950"