Penetration Testing mailing list archives
Re: Evaluating pentesters
From: "Drexx Laggui [personal]" <drexxl () gmail com>
Date: Thu, 8 Apr 2010 15:08:25 +0800
08Apr2010 (UTC +8) Hiya Tony, I'd like to add that the OSSTMM is a great tool used for pentesting. I have benefited from it a great deal because it helped me communicate with my client as to what pentesting really is in detail, and how it can specifically help their business. Go through it, and use it to filter out the wannabees vs the real pentesters that you're looking for. Another tool that you may want to use is a specific part of the Common Criteria. I think the metrics here would be a great tool for your needs. What can be found below is "AVA_VAN.3 Focused vulnerability analysis" used for EAL4. I've taken the liberty of translating CC linggo like TOE, SFR, ETR, to something more easily understood in context by most people. The results of an evaluation are not given ambiguous ratings like High / Medium / Low risk ratings, but verdicts like Pass / Fail / Inconclusive. AVA_VAN.3-1 The pentest customer shall examine the IT System to determine that the test configuration is consistent with the configuration under evaluation as specified in the Security Target (i.e., documented specs of IT product under evaluation). AVA_VAN.3-2 The pentest customer shall examine the IT System to determine that it has been installed properly and is in a known state. AVA_VAN.3-3 The pentester shall examine sources of information publicly available to identify potential vulnerabilities in the IT System. AVA_VAN.3-4 The pentester shall conduct a focused search about the IT product under evaluation), its guidance documentation, functional specification, IT System design, security architecture description and implementation representation to identify possible potential vulnerabilities in the IT System. AVA_VAN.3-5 The pentester shall record in the Risk Assessment Report the identified potential vulnerabilities that are candidates for testing and applicable to the IT System in its operational environment. AVA_VAN.3-6 The pentester shall devise penetration tests, based on the independent search for potential vulnerabilities. AVA_VAN.3-7 The pentester shall produce penetration test documentation for the tests based on the list of potential vulnerabilities in sufficient detail to enable the tests to be repeatable. The test documentation shall include: a) identification of the potential vulnerability the IT System is being tested for; b) instructions to connect and setup all required test equipment as required to conduct the penetration test; c) instructions to establish all penetration test prerequisite initial conditions; d) instructions to stimulate the IT System's Interfaces; e) instructions for observing the behaviour of the IT System's Interfaces; f) descriptions of all expected results and the necessary analysis to be performed on the observed behaviour for comparison against expected results; g) instructions to conclude the test and establish the necessary post-test state for the IT System. AVA_VAN.3-8 The pentester shall conduct penetration testing. AVA_VAN.3-9 The pentester shall record the actual results of the penetration tests. AVA_VAN.3-10 The pentester shall report in the Risk Assessment Report the pentester penetration testing effort, outlining the testing approach, configuration, depth and results. AVA_VAN.3-11 The pentester shall examine the results of all penetration testing to determine that the IT System, in its operational environment, is resistant to an attacker possessing an Enhanced-Basic attack potential. AVA_VAN.3-12 The pentester shall document in the Risk Assessment Report all exploitable vulnerabilities and residual vulnerabilities, detailing for each: a) its source (e.g. evaluation activity being undertaken when it was conceived, known to the pentester, read in a publication); b) the Security Functional Requirement(s) not met; c) a description; d) whether it is exploitable in its operational environment or not (i.e. exploitable or residual). e) the amount of time, level of expertise, level of knowledge of the IT System, level of opportunity and the equipment required to perform the identified vulnerabilities, and the corresponding values using the tables 3 and 4 of Annex B.4 of the Common Methodology for Information Technology Security Evaluation document (CEMv3.1r3.pdf). Drexx Laggui -- CISA, CISSP, CFE Associate, ISO27001 LA, CCSI, CSA http://www.laggui.com ( Singapore / Manila / California ) Computer forensics; Penetration testing; QMS & ISMS developers; K-Transfer PGP fingerprint = 6E62 A089 E3EA 1B93 BFB4 8363 FFEC 3976 FF31 8A4E ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Re: Evaluating pentesters Drexx Laggui [personal] (Apr 08)
- <Possible follow-ups>
- Re: Evaluating pentesters Drexx Laggui [personal] (Apr 08)
- Re: Evaluating pentesters Ivan . (Apr 12)