Attack of the Acronyms - Pentest People
Robin Hill, co-founder of Pentest People writes
Pentest People was founded in 2017 with a mission to be the best penetration testing company in the UK. While that makes the company relatively young, the people behind it have been part of the cyber security industry for more than two decades. During that time we’ve become familiar with our fair share of industry acronyms and pentesting frameworks. We’ve also innovated within those frameworks to help our clients to stay on top of their cyber risks, even when we can’t physically be on site to assess their networks, configurations, apps, people, physical security and processes.
Our Penetration Testing as a Service (PTaaS) provides a blend of automated scanning and consultant-led tests, delivering continuous vulnerability monitoring, management and remediation. PTaaS avoids the ‘snapshot’ approach of certain compliance frameworks, which can leave organisations exposed to new threats that lower their defences against hacking, data theft and ransomware. At International Cyber Expo we’ll be showcasing our SecurePortal 2.0, which provides a live platform showing the vulnerabilities discovered by our PTaaS, and we’ll be happy to explain how we’re re-inventing penetration testing to meet new cyber risks head on.
What are the main pentesting frameworks?
When you walk through the doors at Olympia, you’re likely to be bombarded with cyber security acronyms. If you’re planning on engaging a pentester, these are the ones that matter:
OSSTMM– stands for Open-Source Security Testing Methodology Manual. Developed and maintained by the Institute for Security and Open Methodologies (ISECOM), OSSTM covers multiple pentesting methodologies, spanning social engineering through to network security.
As our name suggests, we combine the best methodologies and the very best people to ensure that your business networks, configurations, web apps and processes are thoroughly tested for vulnerabilities that could expose your organisation to hacking, malware infection, or a ransomware attack.
Our co-founders include our technical director, Gavin Watson, who literally wrote the book on social engineering, and Andrew Mason, who is a Certified Information Systems Security Professional (CISSP), Cisco Certified Internetwork Expert, and a Qualified Security Assessor for the Payment Card Industry Data Security Standard (PCI DSS). Over the past 20 years Andrew has written 12 books for McGraw Hill, Cisco Press and Syngress, including the first Cisco book on Internet Security and the first Cisco book on Virtual Private Networks. In 2007-2009 he was a Cisco Network Academy tutor, teaching the CCNA to students at night school. Gavin and Andrew have spent the past five years assembling a crack team of ethical hackers, cyber security consultants and software developers who will help your business to stay ahead of the latest threats.
OWASP (Open Web Application Security Project)’s Web Security Testing Guide (WSTG) provides a comprehensive range of tools, methodologies, documentation and technologies to help security consultants to identify vulnerabilities in web applications, mobile applications and firmware. OWASP WTSG has been developed by a community of volunteers who continually update the resources as fresh vulnerabilities are discovered.
Our resident web app experts, Liam Follin, Josh Hickling, Alex Archondakis and Eime Adomaviciute, backed by our rapidly-growing team of UK-based consultants, will guide you through the process of checking your company’s web, mobile and firmware for any configurations that could put your business at risk.
NIST – the National Institute of Standards and Technology is the US standards body that has been providing guidelines and resources on best practices for information and cyber security for the past 50 years. NIST special publication (SP) 800- 115, ‘A technical guide to Information Security Testing and Assessment,’ focuses primarily on infrastructure testing. This provides our customers with the reassurance that we are following best practice guidelines and applying consistency in our assessments of their configurations. We also use our own blend of expertise to provide a more in-depth overview of vulnerabilities that we’ve discovered on our clients’ networks, applications and systems, with guidance on how to put these right.
Come to us for clear advice and support
These are just a few of the frameworks that we use to help maintain our customers’ cyber defences.
So if you’re looking for clear guidance on mitigating risks to your business, without being bombarded with jargon, come and talk to Pentest People on Stand J50 (that’s our stand number, not another acronym :- )
If you’d like to book a demo ahead of the show, email firstname.lastname@example.org and we’ll be happy to show how SecurePortal provides a live audit of your pentests to help you to stay on top of cyber risks.
References and further reading:
Pentest People - Penetration Testing Methodologies https://www.pentestpeople.com/penetration-testing-methodologies/
ISECOM – OSSTMM - https://www.isecom.org/about.html
Social Engineering Penetration Testing, Gavin Watson, Andrew Mason, Richard Ackroyd https://www.elsevier.com/books/social-engineering-penetration-testing/watson/978-0-12-420124-8
OWASP Web Security Testing Guide https://owasp.org/www-project-web-security-testing-guide/
NIST - SP 800-115 Technical Guide to Information Security Testing and Assessment https://csrc.nist.gov/publications/detail/sp/800-115/final
Pentest People - Penetration Testing Remediation Consultancy Service https://www.pentestpeople.com/penetration-testing-remediation-consultancy-service/
Pentest People – SecurePortal https://www.pentestpeople.com/pentest-people-secure-portal/