Penetration Testing Execution Standard
3 likes3,257 views
The document discusses the Penetration Testing Execution Standard (PTES), which aims to establish a common language and standard for penetration testing. It outlines the motivation for PTES due to inconsistent practices. PTES defines the basic seven phases of a penetration test: pre-engagement, intelligence gathering, threat modeling, vulnerability analysis, exploitation, post-exploitation, and reporting. The document discusses the initial reactions to PTES and calls on readers to get involved and help advance the standard.
![PTES - initial reactions
• You have to be kidding me
• No one does that
• I can’t do this all by myself
• This is a lot of work
• Is this going into PCI/ISO/[someStandard]?](https://image.slidesharecdn.com/ptes-110427081539-phpapp01/85/Penetration-Testing-Execution-Standard-33-320.jpg)
![PTES - initial reactions
• You have to be kidding me
• No one does that
• I can’t do this all by myself
• This is a lot of work
• Is this going into PCI/ISO/[someStandard]?
• We already do that](https://image.slidesharecdn.com/ptes-110427081539-phpapp01/85/Penetration-Testing-Execution-Standard-34-320.jpg)
Penetration Testing Execution Standard
- 1. Penetration Testing Execution Standard Iftach Ian Amit VP Consulting - Security Art Founder - PTES DC9723 March 22nd, 2011
- 2. Agenda • Why? • Who? • How? • You!
- 3. PTES - Why?
- 5. PTES - Why? RAPE! Someone call the police...
- 6. PTES • Common language for organizations and service providers • Set the bar for a common standard to be used • Eliminate hacks (as in run Nessus, generate report, send to customer, charge $10,000)
- 7. PTES - Who? • As always - started during a long night of drinking... • Nickerson (@indi303), Kennedy (author of SET), me (@iiamit), Gates (@carnal0wnage),Val (@attackresearch), Nick (@c7five), Robin (@digininja), Wim (@wimremes), Stefan (@stfn42), lots more... www.pentest-standard.org
- 8. PTES - How? • Basically, define the basic 7 elements of a pentest: • Pre-engagement • Intelligence gathering • Threat modeling • Vulnerability Analysis • Exploitation • Post exploitation • Reporting
- 9. PTES - How? • Basically, define the basic 7 elements of a pentest: • Pre-engagement • Intelligence gathering • Threat modeling • Vulnerability Analysis • Exploitation • Post exploitation • Reporting
- 10. PTES - How? • Basically, define the basic 7 elements of a pentest: • Pre-engagement • Intelligence gathering • Threat modeling • Vulnerability Analysis “old” pentesting scope • Exploitation • Post exploitation • Reporting
- 11. Pre-Engagement
- 12. Pre-Engagement
- 13. Pre-Engagement
- 17. Threat Modeling
- 18. Threat Modeling
- 21. Exploitation
- 22. Exploitation
- 23. Post-Explotation
- 24. Post-Explotation
- 25. Reporting
- 26. Reporting
- 27. Reporting
- 28. PTES - initial reactions
- 29. PTES - initial reactions • You have to be kidding me
- 30. PTES - initial reactions • You have to be kidding me • No one does that
- 31. PTES - initial reactions • You have to be kidding me • No one does that • I can’t do this all by myself
- 32. PTES - initial reactions • You have to be kidding me • No one does that • I can’t do this all by myself • This is a lot of work
- 33. PTES - initial reactions • You have to be kidding me • No one does that • I can’t do this all by myself • This is a lot of work • Is this going into PCI/ISO/[someStandard]?
- 34. PTES - initial reactions • You have to be kidding me • No one does that • I can’t do this all by myself • This is a lot of work • Is this going into PCI/ISO/[someStandard]? • We already do that
- 35. Now what?
- 36. Now what? YOU!
- 37. Now what? YOU! Yes, you...
- 38. Roadmap
- 39. Roadmap • Catch up on all the “official” news at www.pentest-standard.org
- 40. Roadmap • Catch up on all the “official” news at www.pentest-standard.org • Volunteer! (we need working hands...)
- 41. Roadmap • Catch up on all the “official” news at www.pentest-standard.org • Volunteer! (we need working hands...) • Previous milestone - Shmoocon (Feb 2011)
- 42. Roadmap • Catch up on all the “official” news at www.pentest-standard.org • Volunteer! (we need working hands...) • Previous milestone - Shmoocon (Feb 2011) • Next milestone - ph-neutral (May 2011)
- 43. Roadmap • Catch up on all the “official” news at www.pentest-standard.org • Volunteer! (we need working hands...) • Previous milestone - Shmoocon (Feb 2011) • Next milestone - ph-neutral (May 2011) • Drop the bomb - BlackHat?