What's this for?
Everybody knows that penetration testing process is some kind of "art". It requires knowledge of wide variety of technologies, OS etc, understanding of how things works. In addition, you should be attentive to details and have a rich imagination of how any weaknesses can be used, be it a system or a human.
Pentesters are unique persons with their own style of work, but in enterprise world and even if take into account commercial basics - we should follow some kind of standards to be sure that scope of works will be covered in full, we need somehow classify vulnerabilities - yes, here comes commonly used standards, guides and classifications.
Furthermore sometimes customers may even ask you about your plans and skills and you'll need to describe the process of work (penetration testing).
Popular standards and guides in penetration testing
The most popular standards comes to mind are:
- OWASP Testing Guide - popular standard and guide for web application security testing, which covers lots of security checks against web application and it's logic.
- OWASP Mobile Testing Guide - is a comprehensive manual for mobile app security testing and reverse engineering for iOS and Android mobile security testers which covers everything from deployment of testing environment to tools and techniques which can be used during security tests execution.
- WASC - Old and extended guidance for web application security testing. WASC includes huge amount of security checks which security specialist can execute against web application. Officially it sounds like: "The WASC Threat Classification is a cooperative effort to clarify and organize the threats to the security of a web site."
- NIST 800-115 - Very popular commonly used standard (including GOV) for network and infrastructure security evaluation.
- Penetration Testing Framework - easy step by step guide on how to execute penetration testing (like from zero to hero).
Why should we use those guides
In the first place, the use of such guides helps to perform pentesting not only correctly, but also guarantees a certain minimum of checks that will be done by following the instructions from for example OWASP Testing Guide or NIST. All those standards are based on previously made mistakes and previous experience as well as on current and past statistics and best practices.
Let's highlight some key points:
- Understanding of how pentest goes not only from the perspective of the performer but also from potential customer perspective (less questions to us).
- We must do things right, from first steps. Thus we can rely on standards which are commonly recognized.
- We must have some kind of basic minimum of checks performed, you won’t keep everything in your head and here again standards help us. Everything beyond - will be based on your imagination and experience.
- All compliance checks are based on such standards.
- If you don't know something - you always can refer to standards. Especially this is very useful when you just beginning your way in cyber security or you for example need to request penetration testing but don't know what questions to ask and how to create scope of works, how understand if specialists from hired company execute checks properly.
Vulnerabilities classification and proper risk assessment
Vulnerabilities can also be classified with help of standards and classifications. Let's take a look at some popular classifications:
- OWASP TOP10 - used for web applications.
- OWASP TOP10 Mobile - used for mobile applications.
- CVSS - The Common Vulnerability Scoring System can be used for everything else.
When you need to create report and describe vulnerabilities, explain technical owner that this or that vulnerability is critical, how can you do this ?
All identified vulnerabilities (or security misconfigurations) should be somehow classified with such parameters like:
- Impact (business) level
Based on results obtained from your scans and/or manual research you can correlate them later with information from OWASP or CVSS and assign specific level (i.e.: low, medium, high) of criticality for each vulnerability.