Penetration Testing Execution Standard
•
3 likes•3,213 views
The document discusses the Penetration Testing Execution Standard (PTES), which aims to establish a common language and standard for penetration testing. It outlines the motivation for PTES due to inconsistent practices. PTES defines the basic seven phases of a penetration test: pre-engagement, intelligence gathering, threat modeling, vulnerability analysis, exploitation, post-exploitation, and reporting. The document discusses the initial reactions to PTES and calls on readers to get involved and help advance the standard.
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Penetration Testing Execution Standard
Similar to Penetration Testing Execution Standard (20)
More from Iftach Ian Amit
More from Iftach Ian Amit (20)
Recently uploaded
Recently uploaded (20)
Penetration Testing Execution Standard
- 1. Penetration Testing Execution Standard Iftach Ian Amit VP Consulting - Security Art Founder - PTES DC9723 March 22nd, 2011
- 2. Agenda • Why? • Who? • How? • You!
- 3. PTES - Why?
- 5. PTES - Why? RAPE! Someone call the police...
- 6. PTES • Common language for organizations and service providers • Set the bar for a common standard to be used • Eliminate hacks (as in run Nessus, generate report, send to customer, charge $10,000)
- 7. PTES - Who? • As always - started during a long night of drinking... • Nickerson (@indi303), Kennedy (author of SET), me (@iiamit), Gates (@carnal0wnage),Val (@attackresearch), Nick (@c7five), Robin (@digininja), Wim (@wimremes), Stefan (@stfn42), lots more... www.pentest-standard.org
- 8. PTES - How? • Basically, define the basic 7 elements of a pentest: • Pre-engagement • Intelligence gathering • Threat modeling • Vulnerability Analysis • Exploitation • Post exploitation • Reporting
- 9. PTES - How? • Basically, define the basic 7 elements of a pentest: • Pre-engagement • Intelligence gathering • Threat modeling • Vulnerability Analysis • Exploitation • Post exploitation • Reporting
- 10. PTES - How? • Basically, define the basic 7 elements of a pentest: • Pre-engagement • Intelligence gathering • Threat modeling • Vulnerability Analysis “old” pentesting scope • Exploitation • Post exploitation • Reporting
- 11. Pre-Engagement
- 12. Pre-Engagement
- 13. Pre-Engagement
- 17. Threat Modeling
- 18. Threat Modeling
- 21. Exploitation
- 22. Exploitation
- 23. Post-Explotation
- 24. Post-Explotation
- 25. Reporting
- 26. Reporting
- 27. Reporting
- 28. PTES - initial reactions
- 29. PTES - initial reactions • You have to be kidding me
- 30. PTES - initial reactions • You have to be kidding me • No one does that
- 31. PTES - initial reactions • You have to be kidding me • No one does that • I can’t do this all by myself
- 32. PTES - initial reactions • You have to be kidding me • No one does that • I can’t do this all by myself • This is a lot of work
- 33. PTES - initial reactions • You have to be kidding me • No one does that • I can’t do this all by myself • This is a lot of work • Is this going into PCI/ISO/[someStandard]?
- 34. PTES - initial reactions • You have to be kidding me • No one does that • I can’t do this all by myself • This is a lot of work • Is this going into PCI/ISO/[someStandard]? • We already do that
- 35. Now what?
- 36. Now what? YOU!
- 37. Now what? YOU! Yes, you...
- 38. Roadmap
- 39. Roadmap • Catch up on all the “official” news at www.pentest-standard.org
- 40. Roadmap • Catch up on all the “official” news at www.pentest-standard.org • Volunteer! (we need working hands...)
- 41. Roadmap • Catch up on all the “official” news at www.pentest-standard.org • Volunteer! (we need working hands...) • Previous milestone - Shmoocon (Feb 2011)
- 42. Roadmap • Catch up on all the “official” news at www.pentest-standard.org • Volunteer! (we need working hands...) • Previous milestone - Shmoocon (Feb 2011) • Next milestone - ph-neutral (May 2011)
- 43. Roadmap • Catch up on all the “official” news at www.pentest-standard.org • Volunteer! (we need working hands...) • Previous milestone - Shmoocon (Feb 2011) • Next milestone - ph-neutral (May 2011) • Drop the bomb - BlackHat?