Following are the main sections defined by the standard as the basis for penetration testing execution:
- Pre-engagement Interactions
- Intelligence Gathering
- Threat Modeling
- Vulnerability Analysis
- Post Exploitation
Well, after many months of hard work in the background, we’ve reached that point where it’s time to talk about PTES openly.
PTES (Penetration Testing Execution Standard) is a community driven project designed to clearly define what a penetration test is for both businesses and security service providers. Through a common language and scope for performing penetration tests, we hope to raise the overall quality of testing and really help businesses define what it is they need and expect from a penetration test.
As much as we hate to admit it ourselves, there’s a lot of low-quality testing taking place. Setting a standardized approach to scoping, performing and reporting a penetration test will ultimately help bring up the level of penetration testing to where it should be (or where we hope it will be).
Now, we can’t hope to cover every eventuality, and we certainly won’t try to tell testers what nmap options to use, but we can try to define the minimum steps and coverage required to really differentiate a vulnerability scan from a penetration test. It may sound silly to some, but businesses don’t know what they’re getting some times… and thinking you’re secure is never a good option!
Currently we’re in pre-alpha stages, so please get involved. Let us know what you think. Comment, discuss, argue… This doesn’t work without a community behind it.
Note: Please take time to read what we’re attempting and look at the mind-map information before starting to flame… The only thing worse than trying and failing, is not trying at all!