Comparison Of OSSTMM And PTES For Internal Testing In An Essay. (70 Characters)

Company management has asked that you compare the OSSTMM and the PTES in order to determine which methodology to select for internal testing. Compare these two methodologies and write a report to management. When writing your report, make sure you are writing it as though you are writing it as a report to management, not as though you were just answering a homework assignment question. 

The report talks about the internal testing methods OSSTMM and PTES. The report explains that how OSSTMM and PTES play a significant role in internal testing, operational security testing, and business testing. It also explains the various penetration testing methods. Open source security methodology manual and penetration testing execution standard are the important method of penetration testing. These techniques solve various issues of the system and analyze and evaluate the data and provide an effective solution.

OSSTMM (open source security testing methodology manual) plays a vital role in internal testing. It is the method and technique to test and analyze the operational security and precautions of physical unit, individual security testing, workflow, physical security testing, telecommunication security testing, wireless security analysis, and data network security assessment and compliance rules and regulations. It is not a risk assessment methodology. It refers to the collection and analysis of data to produce enough results and outcomes for providing support to risk decisions. It measures and evaluates the state of operational security and safety so that decisions can be taken on the behalf of scientific data (Ghazouani, Faris, Medromi & Sayouti, 2014). It is also called as threat analysis technique. It also measures and evaluates the progress and development of the security operation of any association. The open source security testing methodology manual includes the following things.

• Rule of engagement: Rule of engagement is the initial exposure to the OSSTMM. The rule of engagement includes 50 individual points of marketing and sales approach. The rules are very specific to permission, contracts. Notification and performing the actual estimation.
• Critical security thinking: The critical security thinking also plays a major role in OSSTMM. It is the practice and process of using facts, logic, experience, opinion to shape the ideas about the security.
• True analysis: It is another new concept of OSSTMM and it analyzes and evaluates the information security. It secures and maintains trust and assures its flexibility and integrity. The true analysis concept uses in security testing procedure (Dinis & Serrão, 2014).

PTES: Penetration testing execution standard (PTES) includes the seven phases; they are intelligence, brainpower gathering, Threat modeling, pre engagement communications and interactions, vulnerability analysis and examination, exploitation, reporting and post exploitation. Penetration testing execution standard explains and analyzes the techniques, tools, and methods of a pre engagement of penetration test (Knowles, Baron & McGarr, 2016). It includes the important questions which must be answered before a test starts. The penetration testing methods should not be a stimulating and confrontational. It should identify and analyze the business and management risk. Instead of a simple process, technique and methodology, the penetration testing execution standard also provides the recommended testing tools, techniques, and rationale of testing tools. In this way, it plays a significant role in the internal testing of the management. It is also known as hackers, white hat and ethical testing method. It provides guidelines and information to customers related the testing. The penetration testing phases are showing in below diagram.

                                                                        (Source: Knowles, Baron  & McGarr, 2016)

PTES provides both security and business services to services providers with an ordinary language and it also provides scope for performing dissemination and penetration. On the other hand, OSSTMM does not provide information about the business services; it is only the method of operational security testing. OSSTMM is good for general and common security testing but it does not provide a specific and explicit reference of the testing. OSSTMM also includes the security test audit report and operational security matrix but PTES does not include the operational security matrix. Now it is assumed that OSSTMM and penetration testing execution standard methodology play a significant role in the internal testing of management (Allen, Heriyanto & Ali, 2014).

Open source security testing methodology manual and penetration testing execution standard methods play a vital role in the internal testing of management. OSSTMM and PTES should improve the tools and techniques of testing. Open source security testing methodology should also include the business security testing and PTES should include the operational security matrix to analyze and identify the data and internal management of the organization. In this way, these tools and techniques will become more efficient and effective in future.

Conclusion 

Now it is concluded that open source security methodology manual and penetration testing execution standard are the important tools and techniques of operational, business security matrix and internal testing of the organization. The management should more focus on these tools and techniques to resolve the problems and issues. Both the techniques should use the effective key concepts and methodologies for internal testing.

References 

Allen, L., Heriyanto, T., & Ali, S. (2014). Kali Linux–Assuring Security by Penetration Testing. Packt Publishing Ltd.

Dinis, B., & Serrão, C. (2014). Using PTES and open-source tools as a way to conduct external footprinting security assessments for intelligence gathering. Journal of Internet Technology and Secured Transactions (JITST), (3/4), 271-279.

Ghazouani, M., Faris, S., Medromi, H., & Sayouti, A. (2014). Information Security Risk Assessment--A Practical Approach with a Mathematical Formulation of Risk. International Journal of Computer Applications, 103(8).

Knowles, W., Baron, A., & McGarr, T. (2016). The simulated security assessment ecosystem: Does penetration testing need standardisation?. Computers & Security, 62, 296-316.