渗透测试执行标准

本文共有2707个字,关键词:渗透测试ptes

渗透测试执行标准

High Level Organization of the Standard

标准的高级组织

The penetration testing execution standard consists of seven (7) main sections. These cover everything related to a penetration test - from the initial communication and reasoning behind a pentest, through the intelligence gathering and threat modeling phases where testers are working behind the scenes in order to get a better understanding of the tested organization, through vulnerability research, exploitation and post exploitation, where the technical security expertise of the testers come to play and combine with the business understanding of the engagement, and finally to the reporting, which captures the entire process, in a manner that makes sense to the customer and provides the most value to it.

渗透测试执行标准由7个主要部分组成。这些内容涵盖了与渗透测试相关的所有内容:从最初的沟通和背后的推理,到测试人员在幕后工作的情报收集和威胁建模阶段,以便测试人员的安全技术专业知识发挥作用,并与对业务的理解相结合,通过漏洞研究、开发和后期利用更好地了解被测组织,最后以一种对客户有意义的方式捕获整个过程并提供最有价值的报告。

This version can be considered a v1.0 as the core elements of the standard are solidified, and have been "road tested" for over a year through the industry. A v2.0 is in the works soon, and will provide more granular work in terms of "levels" - as in intensity levels at which each of the elements of a penetration test can be performed at. As no pentest is like another, and testing will range from the more mundane web application or network test, to a full-on red team engagement, said levels will enable an organization to define how much sophistication they expect their adversary to exhibit, and enable the tester to step up the intensity on those areas where the organization needs them the most. Some of the initial work on "levels" can be seen in the intelligence gathering section.

这个版本可以被认为是v1.0,因为该标准的核心要素已经固化,并且已经通过行业进行了一年多的实际测试。 v2.0很快就会投入使用,它将提供更多关于“级别”的细粒度工作 ——就像在强度等级中可以执行渗透测试的每个元素一样。由于每个渗透测试都是不一样的,并且测试将包含从更普通的Web应用程序或网络测试,到全面的红队参与,所述级别将使组织能够定义他们期望他们的对手展示多少复杂性,并启用测试人员加强组织最需要的领域的强度。关于“级别”的一些初步工作可以在情报收集部分看到。

作为渗透测试执行的基础,以下是标准定义的主要部分:

As the standard does not provide any technical guidelines as far as(据,直到...为止) how to execute an actual pentest, we have also created a technical guide to accompany the standard itself. The technical gude can be reached via the link below:

由于标准没有在如何执行实际的测试中提供任何技术指导,我们还创建了一个技术指南,以配合标准本身。可以通过以下链接访问技术指导:

有关此标准的更多信息,请访问:

「一键投喂 软糖/蛋糕/布丁/牛奶/冰阔乐!」

阿恒

(๑>ڡ<)☆谢谢老板~

使用微信扫描二维码完成支付

 包捕获 没有了 
添加新留言
仅有一条留言
  1. 阿恒:

    一个好的开始