Penetration Testing Execution Standard
The Penetration Testing Execution Standard consists of seven main sections. They cover everything concerning a penetration test – from the preliminary communication and effort behind a pen test; through the information-gathering and threat-modeling phases where testers are working behind the scenes to get a better understanding of the tested corporation; through vulnerability research, exploitation, and post-exploitation, where the practical security knowledge of the testers come to play and combine with the business intelligence; and finally to reporting, which outlines the entire procedure in a format that the customer can understand.
This version can be considered v1.0 as the core elements of the standard are solidified, and have been field-tested for over a year through the industry. v2.0 is in the making, and will provide more granular work in terms of levels – as in the intensity levels at which each of the elements of a penetration test can be performed. As no pen test is like another, and testing will range from web application or network tests to a full-on red-team black-box engagement, said levels will enable an organization to outline how much complexity they expect their testers to unveil, and enable the tester to step up the intensity in the areas that the organization deems necessary. Some of the initial work on levels can be seen in the intelligence—gathering section.
The following are the main sections defined by the standard as the basis for executing penetration tests:
- Pre-engagement interactions
- Intelligence-gathering
- Threat-modeling
- Vulnerability analysis
- Exploitation
- Post-exploitation
- Reporting