The penetration Testing Execution Standard
Q: What is this "Penetration Testing Execution Standard"?
A: It is a new standard designed to provide both businesses and security service providers with a common language and scope for performing penetration testing (i.e. Security evaluations).
Q: Who is involved with this standard?
A: We are a group of information security practitioners from all areas of the industry (I.e. Financial Institutions, Service Providers, Security Vendors). The group currently consists of:
Click here for the members list.
Q: So is this a closed group or can I join in?
A: We started this with about 6 people, the first in-person meeting held almost 20. We would love more insight and down-to-earth opinions so if you can contribute please feel free to email us.
Q: Is this going to be a formal standard?
A: We are aiming to create an actual standard so that businesses can have a baseline of what is needed when they get a pentest as well as an understanding of what type of testing they require or would provide value to their business. The lack of standardization now is only hurting the industry as businesses are getting low-quality work done, and practitioners lack guidance in terms of what is needed to provide quality service.
Q: Is the standard going to include all possible pentest scenarios?
A: While we can't possibly cover all scenarios, the standard is going to define a baseline for the minimum that is required from a basic pentest, as well as several "levels" on top of it that provide more comprehensive activities required for organizations with higher security needs. The different levels would also be defined as per the industry in which they should be the baseline for.
Q: Is this effort going to standardize the reporting as well?
A: Yes. We feel that providing a standard for the test without defining how the report is provided would be useless. We will define both executive (business) reporting as well as technical reporting as an integrated part of the standard.
Q: Who is the intended audience for this standard/project?
Click here to be redirected to the PTES website.