Penetration testing methodologies and standards – IBM Blog

The online space continues to grow rapidly, opening more opportunities for cyberattacks to occur within a computer system, network, or web application. To mitigate and prepare for such risks, penetration testing is a necessary step in finding security vulnerabilities that an attacker might use.

What is penetration testing?

A penetration test, or “pen test,” is a security test that is run to mock a cyberattack in action. A cyberattack may include a phishing attempt or a breach of a network security system. There are different types of penetration testing available to an organization depending on the security controls needed. The test can be run manually or with automated tools through the lens of a specific course of action, or pen testing methodology.

Why penetration testing and who is involved?

The terms “ethical hacking” and “penetration testing” are sometimes used interchangeably, but there is a difference. Ethical hacking is a broader cybersecurity field that includes any use of hacking skills to improve network security. Penetration tests are just one of the methods ethical hackers use. Ethical hackers may also provide malware analysis, risk assessment, and other hacking tools and techniques to uncover and fix security weaknesses rather than cause harm.

IBM’s Cost of a Data Breach Report 2023 found the global average cost of a data breach in 2023 to be USD 4.45 million, a 15% increase over 3 years. One way to mitigate these breaches is by performing accurate and pointed penetration testing.

Companies hire pen testers to launch simulated attacks against their apps, networks, and other assets. By staging fake attacks, penetration testers help security teams uncover critical security vulnerabilities and improve overall security posture. These attacks are often performed by red teams, or offensive security teams. The red team simulates a real attackers’ tactics, techniques and procedures (TTPs) against the organization’s own system as a way to assess security risk.

There are several penetration testing methodologies to consider as you get into the pen testing process. The organization’s choice will depend on the category of the target organization, the goal of the pen test and the scope of the security test. There is no one-size-fits-all approach. It requires an organization to understand its security issues and security policy for there to be a fair vulnerability analysis prior to the pen testing process.

5 top penetration testing methodologies

One of the first steps in the pen testing process is deciding on which methodology to follow.

Below, we’ll dive into five of the most popular penetration testing frameworks and pen testing methodologies to help guide stakeholders and organizations to the best method for their specific needs and ensure it covers all required areas.

1. Open-Source Security Testing Methodology Manual

Open-Source Security Testing Methodology Manual (OSSTMM) is one of the most popular standards of penetration testing. This methodology is peer-reviewed for security testing and was created by the Institute for Security and Open Methodologies (ISECOM).

The method is based on a scientific approach to pen testing with accessible and adaptable guides for testers. The OSSTMM includes key features, such as an operational focus, channel testing, metrics and trust analysis in its methodology.

OSSTMM provides a framework for network penetration testing and vulnerability assessment for pen testing professionals. It is meant to be a framework for providers to find and resolve vulnerabilities, such as sensitive data and issues surrounding authentication.

2. Open Web Application Security Project

OWASP, short for Open Web Application Security Project, is an open-source organization dedicated to web application security.

The non-profit organization’s goal is to make all its material free and easily accessible for anyone who wants to improve their own web application security. OWASP has its own Top 10 (link resides outside of ibm.com), which is a well-maintained report outlining the biggest security concerns and risks to web applications, such as cross-site scripting, broken authentication and getting behind a firewall. OWASP uses the top 10 list as a basis for its OWASP Testing Guide. 

The guide is divided into three parts: OWASP testing framework for web application development, web application testing methodology and reporting. The web application methodology can be used separately or as a part of the web testing framework for web application penetration testing, mobile application penetration testing, API penetration testing, and IoT penetration testing.

3. Penetration Testing Execution Standard

PTES, or Penetration Testing Execution Standard, is a comprehensive penetration testing method.

PTES was designed by a team of information security professionals and is made up of seven main sections covering all aspects of pen testing. The purpose of PTES is to have technical guidelines to outline what organizations should expect from a penetration test and guide them throughout the process, starting at the pre-engagement stage.

The PTES aims to be the baseline for penetration tests and provide a standardized methodology for security professionals and organizations. The guide provides a range of resources, such as best practices in each stage of the penetration testing process, from start to finish. Some key features of PTES are exploitation and post exploitation. Exploitation refers to the process of gaining access to a system through penetration techniques such as social engineering and password cracking. Post exploitation is when data is extracted from a compromised system and access is maintained.

4.  Information System Security Assessment Framework

Information System Security Assessment Framework (ISSAF) is a pen testing framework supported by the Information Systems Security Group (OISSG).

This methodology is no longer maintained and is likely not the best source for the most up-to-date information. However, one of its main strengths is that it links individual pen testing steps with specific pen testing tools. This type of format can be a good foundation for creating an individualized methodology.

5. National Institute of Standards and Technology  

NIST, short for the National Institute of Standards and Technology, is a cybersecurity framework that provides a set of pen testing standards for the federal government and outside organizations to follow. NIST is an agency within the U.S. Department of Commerce and should be considered the minimum standard to follow.

NIST penetration testing aligns with the guidance sent by NIST. To comply with such guidance, organizations must perform penetration tests following the pre-determined set of guidelines.

Pen testing stages

Set a scope

Before a pen test begins, the testing team and the company set a scope for the test. The scope outlines which systems will be tested, when the testing will happen, and the methods pen testers can use. The scope also determines how much information the pen testers will have ahead of time.

Start the test

The next step would be to test the scoping plan and assess vulnerabilities and functionality. In this step, network and vulnerability scanning can be done to get a better understanding of the organization’s infrastructure. Internal testing and external testing can be done depending on the organization’s needs. There are a variety of tests the pen testers can do, including a black-box test, white-box test, and gray-box test. Each provides varying degrees of information about the target system.

Once an overview of the network is established, testers can start analyzing the system and applications within the scope given. In this step, pen testers are gathering as much information as possible to understand any misconfigurations.

Report on findings

The final step is to report and debrief. In this step, it is important to develop a penetration testing report with all the findings from the pen test outlining the vulnerabilities identified. The report should include a plan for mitigation and the potential risks if remediation does not occur.

Pen testing and IBM

If you try to test everything, you’ll waste your time, budget and resources. By using a communication and collaboration platform with historical data, you can centralize, manage, and prioritize high-risk networks, applications, devices, and other assets to optimize your security testing program. The X-Force® Red Portal enables everyone involved in remediation to view test findings immediately after vulnerabilities are uncovered and schedule security tests at their convenience.