CONCLUSION
This paper examined several penetration testing
frameworks and methodologies, with particular reference to
ISSAF and OWASP’s OTG. It was found that many frameworks were either mis-named (i.e., were not actually
frameworks) or lacked domain coverage or a sound ontological foundation and thus
were restricted in their
application.
The frameworks were selected for evaluation based on their focus (penetration testing specific or security
general) and their ability to act as a framework (rather than a collection of techniques without a unifying theme).
We found that many “frameworks” were not able to be generalised across problem domains (as would be
expected for a generic pentesting framework). The quality characteristics
mapped well to the selected
frameworks (ISSAF and OTG), which suggests that they are appropriate candidates to evaluate penetration
testing frameworks.
The next step in this research programme is to evaluate the selected frameworks with a real-world case study.
ACKNOWLEDGEMENTS
This work has been partially funded by the European Commission via grant agreement no. 611659 for the
AU2EU FP7 project.
REFERENCES
Avison, D., & Fitzgerald, G. (2006).
Information Systems Development: Methodologies, Techniques and Tools
.
London: McGraw-Hill.
CERT. (2013).
Cyber Crime and Security Report 2013
. C. Australia.
DuBay, W. H. (2004). The Principles of Readability. Retrieved from http://www.impact-
information.com/impactinfo/readability02.pdf
Frankland, J. (2009). The importance of standardising methodology in penetration testing.
Database and
Network Journal, 39
(3), 13. Retrieved from http://ecu.summon.serialssolutions.com
Gartner. (2012).
Gartner Says Worldwide Security Infrastructure Market Will Grow 8.4 Percent
[Press release]
Gunning, R. (1952).
The Technique of Clear Writing
: McGraw-Hill.
71
Holik, F., Horalek, J., Marik, O., Neradova, S., & Zitta, S. (2014, 2014).
Effective penetration testing with
Metasploit framework and methodologies.
Paper presented at the 15th IEEE International Symposium
on Computational
Intelligence and Informatics, Budapest, Hungary. doi: 10.1109/CINTI.2014.7028682
ISECOM, I. o. S. a. O. M. (2000).
Open Source Security Testing Methodology
: ISECOM.Retrieved from
http://www.isecom.org
Johnstone, M.N. (2009). Security Requirements Engineering: The Reluctant Oxymoron. Proceedings of the 7th
Australian Information Security Management Conference, Perth, Western Australia, 1st to 3rd
December 2009.
Ludger, M., & Gottron, T. (2012). Readability and the Web. doi: 10.3390/fi4010238
McGraw, G., Migues, S., & West, J. (2009). Building Security in Maturity Model. Retrieved from
https://http://www.bsimm.com
Midian, P. (2003). Perspectives on Penetration Testing — Finding the Right Supplier.
Network Security,
2003
(2), 9-11. doi: 10.1016/S1353-4858(03)00210-1
Nickerson, C., Kennedy, D., Riley, C., Smith, E., Amit, I., Rabie, A., . . . Strand, J. (n.d). Penetration Testing
Execution Standard Retrieved from http://www.pentest-
standard.org/index.php/PTES_Technical_Guidelines
OISSG, O. I. S. S. G. (2005).
Information Systems Security Assessment Framework
OISSG.Retrieved from
http://sourceforge.net/projects/isstf/
OWASP. (2014).
OWASP Testing Guide
Retrieved from
https://http://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents
Readility-Score. (2015). Retrieved from https://readability-score.com/
Standards Australia. (2013). AS/NZS
ISO/IEC Standard 25010:2013. Systems and software engineering--
Systems and software Quality Requirements and Evaluation (SQuaRE)--System and software quality
models.
Tang, A. (2014). A guide to penetration testing.
Network Security, 2014
(8), 8. doi: 10.1016/S1353-
4858(14)70079-0
Valli, C., Woodward, A., Hannay, P., & Johnstone, M. (2014). Why Penetration Testing Is A Limited Use
Choice For Sound Cyber Security Practice.
Proceedings of the Conference on Digital Forensics,
Security and Law U6
35. Retrieved from http://ecu.summon.serialssolutions.com/
Wilhelm, T. (2009). Professional Penetration Testing : Volume 1: Creating and Learning in a Hacking Lab (Vol.
1, pp. 26). Burlington: Syngress. Retrieved from http://ecu.summon.serialssolutions.com/
Yeo, J. (2013). Using penetration testing to enhance your company's security.
Computer Fraud & Security,
2013
(4), 17-20. doi: http://dx.doi.org/10.1016/S1361-3723(13)70039-3
72