• Request Info

Independent Penetration Testing Resources

These resources will help you gain a deeper understanding of penetration testing strategies, methodologies and best practices. Many of the links also offer insights into pressing issues that can necessitate the expansion of your internal IT security assessment capabilities.

If you have questions about penetration testing, or would like to suggest a resource for this list, please contact us at +1 (617) 399-6980 or info@coresecurity.com.

 

General Penetration Testing Information

Wikipedia Article
A high-level definition of penetration testing:
http://en.wikipedia.org/wiki/Penetration_test

SANS Institute Penetration Testing Reading Room
A set of resources on penetration testing trends, authored by students as part of their certification requirements:
http://www.sans.org/reading_room/whitepapers/testing/

Penetration Testing Directory Project
An independent online directory offering links to information on penetration testing and related content:
http://www.penetrationtests.com/

Vulnerability Testing Glossary
A comprehensive index of vulnerability and penetration testing terminology published by the University of Oulu, Finland:
http://www.ee.oulu.fi/research/ouspg/sage/glossary/

Vulnerability Assessment Portal
An information portal for Vulnerability Analysts and Penetration Testers published by an independent U.K.-based expert:
http://www.vulnerabilityassessment.co.uk/index.htm

 


Network Penetration Testing

National Institute of Standards and Technology (NIST)
NIST Guideline on Network Security Testing
http://www.itl.nist.gov/lab/bulletns/bltnnov03.htm

Information Systems Audit and Control Association (ISACA)
“Network Penetration Testing”
A slide presentation authored by Jack Jones, director of information security, Nationwide:
www.isaca-centralohio.org/archive/presentations/2000_10-Network_Penetration.ppt

 


Web Application Penetration Testing

SearchSecurity.com
“Web application penetration testing: Best practices”
An overview of the web application penetration testing process:
http://searchsecuritychannel.techtarget.com/tip/0,289483,sid97_gci1233892,00.html#

The Open Web Application Security Project (OWASP)
“The Evolution of Web Application Penetration Testing”
A slide presentation with Daniel Cuthbert:
http://www.owasp.org/images/c/ca/AppSec2005DC-Dan_Cuthbert-Evolution_of_App_Pen_Testing.ppt

SecurityFocus
Research article on “Five common Web application vulnerabilities”:
http://www.securityfocus.com/infocus/1864

Ethical Hacker Network
Informational article on “How to Break Software”:
http://www.ethicalhacker.net/content/view/43/2/

 


Client-Side Penetration Testing

SearchFinancialSecurity.com
Testing for Client-Side Vulnerabilities,”
A “how-to” article on client-side penetration testing methodology and techniques authored by Lenny Zeltser, a leading security training expert: http://searchfinancialsecurity.techtarget.com/tip/0,289483,sid185_gci1298546,00.html

ebizQ.com
“Penetration Testing Like a True Hacker”
A column on the need to test client-side applications by leading security analyst, Mike Rothman:
http://www.ebizq.net/blogs/mike_rothman/2008/03/penetration_testing_like_a_tru.php

GNU Citizen.org
“Client-side SQL Injection Attacks”
A short essay on the ability to exploit clients using SQL injection techniques, authored by contributors to an information security think tank:
http://www.gnucitizen.org/blog/client-side-sql-injection-attacks/

Usenix.org
“An Encrypted Payload Protocol and Target-Side Scripting Engine”
A methodology for carrying out a client-side penetration testing authored by noted researcher, Dino Dai Zovi:
http://www.usenix.org/event/woot07/tech/full_papers/daizovi/daizovi_html/

 


 

Wireless Penetration Testing

SANS Institute
Wireless security training and penetration testing tutorial:
http://www.sans.edu/resources/securitylab/wireless_framing_2.php

PaulDotCom Network Security Projects
Notes from a training course on hacking wireless routers and using them in penetration tests:
http://pauldotcom.com/wiki/index.php/Sec535

 


Penetration Testing and Compliance

PCI Standards Board
“Information Supplement: Requirement 11.3 Penetration Testing”
An outline of the penetration testing requirements for the Payment Card Industry’s Data Security Standard:
https://www.pcisecuritystandards.org/pdfs/infosupp_11_3_penetration_testing.pdf

SearchSecurity.com
“Penetration testing: Helping your compliance efforts”
Mike Rothman explains why penetration testing is a critical aspect of any security program:
http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1312508,00.html

ITBusinessEdge
“Penetration Testing Key to HIPAA Compliance for Care New England”
An interview with Larry Pesce, manager, IT security, Care New England Health System:
http://www.itbusinessedge.com/item/?ci=16382

 


Penetration Testing Methodologies

InfoSec Institute
A security training organization’s blog on practical penetration testing techniques:
http://www.infosecinstitute.com/blog/2005/10/penetration-testing-methodology-fact.html

Common Criteria Web Application Security Scoring (CCWAPSS)
A comprehensive security scoring method for Web applications:
http://ccwapss.blogspot.com/

Penetration Testing Framework
An outline for planning assessments and gathering information relevant to the penetration testing process:
http://www.vulnerabilityassessment.co.uk/Penetration%20Test.html

 


Penetration Testing Blogs & Opinions

Penetration Testing Directory Project Blog
An ongoing study of the security assessment process, industry and related issues, written by professional pen testers:
http://www.penetrationtests.com/blog/

Spylogic.net
A blog about security and penetration testing, written by a professional pen tester:
http://spylogic.net/

 


Penetration Testing Training

Hacker Academy
http://www.thehackeracademy.com/

InfoSec Institute  
http://www.infosecinstitute.com

International Council of Electronic Commerce Consultants
http://www.eccouncil.org

Mile2
http://www.mile2.com

PaulDotCom
http://pauldotcom.com/

SANS Institute
http://www.sans.org/

TrueSec
http://www.TrueSec.com

Vigilar´s Intense School
http://www.vigilar.com/training

7SAFE
http://7safe.com

 


Penetration Testing White Papers, Podcasts and Other Resources

Penetration Testing Mailing List
A mailing list for the discussion of issues and questions about penetration testing and network auditing, hosted by SecurityFocus:
http://www.securityfocus.com/archive/101/description

Security Weekly Podcasts
Audio podcasts that cover a broad array of security and penetration testing issues:
http://www.pauldotcom.com/podcasts/

Security Training WebCasts
A series of expert videocasts hosted by leading security and testing trainers from SANS Institute:
http://www.sans.org/webcasts/

 

Next Steps

Request Info

SHARE