Penetration Testing - Which Standard to Use?

By: Paul Walsh

When it comes to penetration testing, there is no "one size fits all" approach. Every network is different, and every company has its own specific security goals. Lots of questions need to be answered in advance of performing the penetration test.
For instance, where will the testing take place? The testing can be done either onsite, offsite, or some combination of the two. How much notice, if any, will the IT staff be given? You can determine whether or not your IT staff will be involved in or notified of the penetration testing.
One important question you must answer is which standard of penetration testing to use. There are three major standards of penetration testing:
1.CHECK
2.OSSTMM
3.OWASP
As with all questions related to penetration testing, which standard to use depends on what you want to learn from the testing. To understand what information you as a company can expect to gain, let's look at an overview of each of these three standards.
CHECK
CHECK grew out of the need to ensure airtight security of government networks. Because of the sensitive and classified information accessible through government networks, a high level of testing is needed, and the testing must also be consistent across the board. The CHECK standard is focused primarily on the security of information stored on a given server. Tests are performed to determine to what extent and in what ways the confidentiality of that information could be compromised.
OSSTMM
OSSTMM stands for the "Open Source Security Testing Methodology Manual." The OSSTMM is a standardized method for penetration testing. The idea is for the company to be assured of the baseline for the testing, regardless of which network security firm they hire. It sets forth detailed mandates regarding which aspects of the network to test, how to conduct the test, and how to analyze the results of the test.
OWASP

OWASP stands for the "Open Web Application Security Project." OWASP is an open source, community-driven effort. The OWASP Foundation states that it is able to provide unbiased information, wholly uninfluenced by any commercial enterprise. The process is a collaborative one, with the focus being on improved security of web applications and services. Through the efforts of the OWASP community tools are developed and information is catalogued that aids developers, vendors, and consumers design and deploy safe application software.

As you can see, every one of these standards brings something different to the table. CHECK offers intensity capable of securing the most sensitive of networks. OSSTMM lays out a specific set of procedures and guideline that promises consistency across the board. OWASP rounds out the list with its invaluable input from computer experts around the world.

Looking at what each standard offers in terms of security testing, it could be hard for a company to choose. The good news is that choosing amongst CHECK, OSSTMM, and OWASP isn't your only option. Instead, you can choose a different standard, the one standard on the market that outdoes all of the other three. It's the fourth option, and it's the standard of Protocol Solutions.

Protocol Solutions uses a standardized methodology that meets and exceeds the CHECK, OSSTMM, and OWASP standards. No matter the size of your network or the nature of the data you need to protect, the stringent, focused method of Protocol Solutions' penetration testing will keep you secure.

Security
 • 
 • 
 • 
 • 
 • 
 • 
 • 
 • 
 • 
 • 
 • 
 • 
 • 
 • 
 • 
 • 
 • 
 • 
 • 
 • 

» More on Security