Penetration Testing Methodologies

Security Testing should be done in a standardized process. I would say, this should be done with meticulous care because you will not do this for every sprint/build release. It cannot be tacked on to an application at the last minute. A proper security framework should include continuous security training for all developers, threat models for the entire system, regular code reviews and planned penetration testing. There are few methodologies which you can adopt to perform pen-testing.


  • Open Source Security Testing Methodology Manual (OSSTMM)
  • Open Web Application Security Project (OWASP)
  • Information Systems Security Assessment Framework (ISSAF)
  • Web Application Security Consortium Threat Classification (WASC-TC)


OSSTMM: The aim of The Open Source Security Testing Methodology Manual is to set forth a standard for Internet security testing. It is intended to form a comprehensive baseline for testing that, if followed, ensures a thorough and comprehensive penetration test has been undertaken. This should enable a client to be certain of the level of technical assessment independently of other organization concerns, such as the corporate profile of the penetration-testing provider.The OSSTMM is about operational security. It is about knowing and measuring how well security works. This methodology will tell you if what you have does what you want it to do and not just what you were told it does.
                              The OSSTMM has a strong following in the community and provides a good reference for what areas need to be examined and what types of results to expect. It is not a “click here, do that” type of document; rather, it requires a level of knowledge of various tools and techniques to accomplish the goals of the tests. Version 3.0 of the OSSTMM is a significant update that is still a work in progress. As of this writing, it is in beta with no timeline announced for release. Becoming a member of the project will provide access to the current beta draft and other documents such as templates and spreadsheets that can be used in conducting an audit with this methodology.

OWASP: Open Web Application Security Project, the aim of the project is to help people understand the what, why, when, where, and how of testing web applications. The project has delivered a complete testing framework, not merely a simple checklist or prescription of issues that should be addressed

The framework does not simply highlighting areas of weakness, although the latter is certainly a by product of many of the OWASP guides and checklists. As such, hard decisions had top be made about the appropriateness of certain testing techniques and technologies.

The OWASP testing methodology is split as follows:

  • Information gathering
  • Configuration management
  • Authentication testing
  • Session management
  • Authorization testing
  • Business logic testing
  • Data validation testing
  • Denial of service testing
  • Denial of service testing
  • Web services testing
  • AJAX testing


ISSAF: Information Systems Security Assessment Framework, this Penetration testing methodology is designed to evaluate your network, system and application controls. It consists three phases approach and nine steps assessment. The approach includes following three phases:
  • Phase – I: Planning and Preparation
  • Phase – II: Assessment
  • Phase – III: Reporting, Clean-up and Destroy Artifacts
WASC Threat Classification: Web Application Security Consortium Threat Classification is a cooperative effort to clarify and organize the threats to the security of a web site. The members of the Web Application Security Consortium have created this project to develop and promote industry standard terminology for describing these issues. Application developers, security professionals, software vendors, and compliance auditors will have the ability to access a consistent language for web security related issues.
I would  suggest you to adopt OWASP because I’m following it. LOL ! just kidding. you should adopt a methodology as per your company standards.
Source of the content: various books.

One thought on “Penetration Testing Methodologies

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s