Author: Ionut – Daniel BARBU
The purpose of this listing is to present some interesting security testing guides. I foresee this as an open discussion and comments are highly appreciated.
OWASP Testing Project
“The OWASP Testing Project has been in development for many years. The aim of the project is to help people understand the what, why, when, where, and how of
testing web applications.”
The latest version of the guide can be found here.
Open Source Security Testing Methodology Manual
“It is a peer-reviewed manual of security testing and analysis which result in verified facts. These facts provide actionable information that can measurably improve your operational security. The OSSTMM is about operational security. It is about knowing and measuring how well security works. This methodology will tell you if what you have does what you want it to do and not just what you were told it does. What you get from utilizing OSSTMM is a deep understanding of the interconnectedness of things. The people, processes, systems, and software all have some type of relationship.”
More details related to OSSTMM can be found here.
PTES Technical Guidelines
“PTES technical guidelines […] help define certain procedures to follow during a penetration test. Something to be aware of is that these are only baseline methods that have been used in the industry. They will need to be continuously updated and changed upon by the community as well as within your own standard. Guidelines are just that, something to drive you in a direction and help during certain scenarios, but not an all encompassing set of instructions on how to perform a penetration test. Think outside of the box.”
Here can be found additional information.
NIST Technical Guide to Information Security Testing and Assessment ES Technical Guidelines
This is the official guide published by National Institute of Standards and Technology through special publication 800-115.
Which one do you use? Would you recommend another one?