1 00:00:06,990 --> 00:00:09,910 - One of the most popular standards or methodologies 2 00:00:09,910 --> 00:00:13,400 is the Penetration Testing Execution Standard. 3 00:00:13,400 --> 00:00:15,830 You can access the details about the standard 4 00:00:15,830 --> 00:00:18,930 at the website that I'm showing in the screen. 5 00:00:18,930 --> 00:00:20,920 The Pen Test Execution Standard 6 00:00:20,920 --> 00:00:23,860 is divided into seven main sections. 7 00:00:23,860 --> 00:00:27,140 They cover everything related to the penetration testing. 8 00:00:27,140 --> 00:00:30,510 So starting from the initial communication 9 00:00:30,510 --> 00:00:33,340 and even why you will do a pen test, 10 00:00:33,340 --> 00:00:37,030 and all the pre-engagement interactions and scoping, 11 00:00:37,030 --> 00:00:42,030 so things on how to develop statement of work or an SOW. 12 00:00:42,250 --> 00:00:45,270 They also cover the rules of engagement. 13 00:00:45,270 --> 00:00:48,580 They go over how to define a scope, 14 00:00:48,580 --> 00:00:50,290 and what is important 15 00:00:50,290 --> 00:00:54,230 within your penetration testing engagement. 16 00:00:54,230 --> 00:00:55,980 Then they actually go into 17 00:00:55,980 --> 00:00:58,440 the intelligence and gathering phase, 18 00:00:58,440 --> 00:01:00,130 and then threat modeling. 19 00:01:00,130 --> 00:01:02,460 And that's where you get a better understanding 20 00:01:02,460 --> 00:01:04,040 of systems and the organization 21 00:01:04,040 --> 00:01:06,490 that you're actually performing the pen test. 22 00:01:06,490 --> 00:01:09,700 Then you move into the vulnerability analysis, exploitation, 23 00:01:09,700 --> 00:01:12,030 and post-exploitation phases. 24 00:01:12,030 --> 00:01:13,690 Now, at the end of engagement, 25 00:01:13,690 --> 00:01:15,430 you create a pen test report, 26 00:01:15,430 --> 00:01:18,740 which is actually one of the most important deliverables 27 00:01:18,740 --> 00:01:20,630 that you can actually do to your customer, 28 00:01:20,630 --> 00:01:25,630 or whoever tasked you to perform the assessment. 29 00:01:25,650 --> 00:01:28,530 Now, NIST also published a guide 30 00:01:28,530 --> 00:01:30,510 on how to conduct security assessments. 31 00:01:30,510 --> 00:01:34,247 The document is the Special Publication 800-115. 32 00:01:35,700 --> 00:01:38,080 So 800-115. 33 00:01:38,080 --> 00:01:39,960 It is pretty similar to the methodology 34 00:01:39,960 --> 00:01:43,090 described in the Pen Testing Execution Standard, 35 00:01:43,090 --> 00:01:46,800 but in this case they actually have four major phases. 36 00:01:46,800 --> 00:01:49,240 They basically actually cover the same 37 00:01:49,240 --> 00:01:53,290 as in the seven phases of the pen test standard. 38 00:01:53,290 --> 00:01:56,060 Now this methodology starts with a planning 39 00:01:56,060 --> 00:02:00,620 and then discovery, attack, and at the end, reporting. 40 00:02:00,620 --> 00:02:03,010 Notice that the planning phase 41 00:02:03,010 --> 00:02:05,850 has a direct arrow pointing to the reporting. 42 00:02:05,850 --> 00:02:08,180 And this is because the planning phase 43 00:02:08,180 --> 00:02:10,750 allows you to even discuss 44 00:02:10,750 --> 00:02:14,650 on how the penetration testing report will be structured 45 00:02:14,650 --> 00:02:16,180 and how it will be delivered, 46 00:02:16,180 --> 00:02:19,740 and your client or the person that actually tasked you 47 00:02:19,740 --> 00:02:21,010 to do the penetration testing 48 00:02:21,010 --> 00:02:24,060 can actually have specific requirements 49 00:02:24,060 --> 00:02:26,663 or things that they want to include in that report. 50 00:02:27,560 --> 00:02:31,410 You can also see a feedback loop between the discovery phase 51 00:02:31,410 --> 00:02:33,010 and the attack phase. 52 00:02:33,010 --> 00:02:36,290 This is because depending on the things that you compromise 53 00:02:36,290 --> 00:02:39,220 or exploit during the penetration testing engagement, 54 00:02:39,220 --> 00:02:41,010 you may actually have to go back 55 00:02:41,010 --> 00:02:44,020 and gather more intelligence and information 56 00:02:44,020 --> 00:02:46,023 to carry out further attacks. 57 00:02:46,960 --> 00:02:50,510 Now, an organization that actually is amazing 58 00:02:50,510 --> 00:02:54,160 whenever it comes to web application security 59 00:02:54,160 --> 00:02:57,710 and security as a whole, is the OWASP organization. 60 00:02:57,710 --> 00:03:00,410 And they also have a security testing guide 61 00:03:00,410 --> 00:03:02,300 that is extremely detailed. 62 00:03:02,300 --> 00:03:04,290 So if you're not familiar with OWASP, 63 00:03:04,290 --> 00:03:07,380 I highly recommend that you become familiar with them. 64 00:03:07,380 --> 00:03:11,560 OWASP stands for Open Web Application Security Project, 65 00:03:11,560 --> 00:03:15,130 and it's an international organization and an open community 66 00:03:15,130 --> 00:03:17,440 dedicated to enabling organizations 67 00:03:17,440 --> 00:03:21,080 to learn more about application security. 68 00:03:21,080 --> 00:03:26,080 All of the OWASP tools, the documents, white papers, forums 69 00:03:26,380 --> 00:03:29,660 and even local chapters are actually free and open 70 00:03:29,660 --> 00:03:32,420 to anyone interesting in improving application security. 71 00:03:32,420 --> 00:03:34,880 So one thing that I will advise you 72 00:03:34,880 --> 00:03:36,810 is to become familiar with this organization, 73 00:03:36,810 --> 00:03:39,700 but also see if in your region, 74 00:03:39,700 --> 00:03:42,420 depending on where you're listening from, 75 00:03:42,420 --> 00:03:45,630 you may actually have an OWASP local chapter. 76 00:03:45,630 --> 00:03:47,500 So that allows you to, of course, 77 00:03:47,500 --> 00:03:49,950 interact with other security professionals 78 00:03:49,950 --> 00:03:54,950 and also to contribute to this collection of resources. 79 00:03:55,070 --> 00:03:58,440 At the end of the day, when it comes to application testing 80 00:03:58,440 --> 00:04:01,230 or web application security testing, 81 00:04:01,230 --> 00:04:03,580 you may be doing a general assessment 82 00:04:03,580 --> 00:04:05,040 of an infrastructure, 83 00:04:05,040 --> 00:04:08,470 where you will encounter several applications and systems 84 00:04:08,470 --> 00:04:10,080 that you actually have to test, 85 00:04:10,080 --> 00:04:14,240 but you also can be hired just to perform other tests 86 00:04:14,240 --> 00:04:17,780 such as wireless infrastructure assessment 87 00:04:17,780 --> 00:04:21,320 or network infrastructure assessments, and many others. 88 00:04:21,320 --> 00:04:23,380 However, in many instances, 89 00:04:23,380 --> 00:04:26,590 you may also be hired just to test one application 90 00:04:26,590 --> 00:04:29,000 or a set of applications, depending on the scope. 91 00:04:29,000 --> 00:04:33,330 So especially around a compliance, you may be tasked 92 00:04:33,330 --> 00:04:37,230 to only look at a specific area of the network 93 00:04:37,230 --> 00:04:41,220 where some specific applications may actually reside. 94 00:04:41,220 --> 00:04:44,230 This is where the scope comes into place. 95 00:04:44,230 --> 00:04:48,610 So having a good and adaptable process and methodology 96 00:04:48,610 --> 00:04:51,043 is key to the success of your engagement.