Security Testing Methodologies

Security Testing should be done in a standardized process. It cannot be tacked on to an application at the last minute. A proper security framework should include continuous security training for all developers, threat models for the entire system, regular code reviews and frequent penetration testing.

There are few methodologies which can adopt to do pentesting.

  • Open Source Security Testing Methodology Manual (OSSTMM)
  • Open Web Application Security Project (OWASP)
  • Information Systems Security Assessment Framework (ISSAF)
  • Web Application Security Consortium Threat Classification (WASC-TC)

OSSTMM: The aim of The Open Source Security Testing Methodology Manual is to set forth a standard for Internet security testing. It is intended to form a comprehensive baseline for testing that, if followed, ensures a thorough and comprehensive penetration test has been undertaken. This should enable a client to be certain of the level of technical assessment independently of other organization concerns, such as the corporate profile of the penetration-testing provider.The OSSTMM is about operational security. It is about knowing and measuring how well security works. This methodology will tell you if what you have does what you want it to do and not just what you were told it does.
                                                                   The OSSTMM has a strong following in the community and provides a good reference for what areas need to be examined and what types of results to expect. It is not a "click here, do that" type of document; rather, it requires a level of knowledge of various tools and techniques to accomplish the goals of the tests. Version 3.0 of the OSSTMM is a significant update that is still a work in progress. As of this writing, it is in beta with no timeline announced for release. Becoming a member of the project will provide access to the current beta draft and other documents such as templates and spreadsheets that can be used in conducting an audit with this methodology.

OWASP: The aim of the project is to help people understand the what, why, when, where, and how of testing web applications. The project has delivered a complete testing framework, not merely a simple checklist or prescription of issues that should be addressed
The framework does not simply highlighting areas of weakness, although the latter is certainly a by product of many of the OWASP guides and checklists. As such, hard decisions had top be made about the appropriateness of certain testing techniques and technologies.
The OWASP testing methodology is split as follows:
  • Information gathering
  • Configuration management
  • Authentication testing
  • Session management
  • Authorization testing
  • Business logic testing
  • Data validation testing
  • Denial of service testing
  • Denial of service testing
  • Web services testing
  • AJAX testing
ISSAF Penetration testing methodology is designed to evaluate your network, system and application controls. It consists three phases approach and nine steps assessment. The approach includes following three phases:
  • Phase – I: Planning and Preparation 
  • Phase – II: Assessment 
  • Phase – III: Reporting, Clean-up and Destroy Artifacts

WASC Threat Classification: is a cooperative effort to clarify and organize the threats to the security of a web site. The members of the Web Application Security Consortium have created this project to develop and promote industry standard terminology for describing these issues. Application developers, security professionals, software vendors, and compliance auditors will have the ability to access a consistent language for web security related issues.

1 comment:

  1. Pretty article! I found some useful information in your blog, it was awesome to read, thanks for sharing this great content to my vision, keep sharing. Need to learn
    Security Testing Services
    Test Automation Services
    Software Testing Services
    Compatibility Testing Services
    Regression Testing Services