Several sets of standards and frameworks have been developed to provide a common base of understanding and expectation for pen tests. Some examples have been listed below.
- Developed by the Communications-Electronic Security Group (now the National Cyber Security Centre), which is part of the UK Government Communications Headquarters. This scheme ensures that government agencies and public entities can contract with certified companies to identify vulnerabilities in their confidentiality, integrity, and availability (CIA) by testing their networks and other systems.
The Open Web Application Security Project (OWASP) Testing Framework
- Developed by a multinational organization that collects and shares security practices with software developers, this framework provides pen testing and other testing techniques for each part of the software development life cycle. For more information, refer to www.owasp.org.
Open Source Security Testing Methodology Manual (OSSTMM)
- Developed by the Institute for Security and Open Methodologies (ISECOM), this document is a peer-reviewed guide to security testing and analysis that enables you to tighten up operational security. For more information, refer to www.isecom.org/research.
Penetration Testing Execution Standard (PTES)
- Developed by security service practitioners to provide business professionals and security service providers a basic lexicon and guidelines for performing pen tests. The PTES is the general standard, while detailed information is provided in the PTES Technical Guide. For more information, refer to www.pentest-standard.org.
NIST SP 800-115
- Developed by the US National Institute of Standards and Technology (NIST), the Technical Guide to Information Security Testing and Assessment provides practical recommendations for designing, implementing, and maintaining pen test processes and procedures.