What Are the Different Types of Penetration Test Methodology?

There are essentially two major types of penetration test methodology — in-house and industry standard — though within these are an almost limitless number of variations. An in-house methodology is one developed by a company, typically the one performing the test, for use by its employees. Industry standard methodologies, on the other hand, are those developed by major security organizations for use by other companies in an attempt to make a standard methodology that is universally recognized and approved. Both types of penetration test methodology can be effective, and the best one for any particular penetration test usually depends a great deal on the person performing the test.

A penetration test methodology is a series of rules or guidelines used to perform penetration testing on a computer system or network. This type of testing is typically done to determine what possible weaknesses there may be in a system that can be used by hackers to launch an attack on that system. Once this initial analysis is complete, then the tester typically launches a simulated attack against the system to determine just how vulnerable those weaknesses are. A penetration test methodology is often used to determine just how this sequence of evaluation and testing should be conducted, and to provide testers with guidelines for documenting the procedure.

One of the most common types of penetration test methodology is an in-house methodology. This is a document created by a company for use by its employees as they are performing penetration tests on a system. An in-house penetration test methodology can be prepared by a company that has hired someone to perform testing on its system, or by a company that hires out its services to other businesses to test them. This type of methodology may be preferred by some testers, as following it ensures that any complaints the client may have about the testing can be disputed using the methodology provided by the client for the tester.

An industry standard penetration test methodology, on the other hand, is a document created by a computer security company for use by other testers. This type of methodology is usually intended for use by testers not employed by the company that created it. One of the benefits of this type of methodology is that testers can more easily point to a single, unified method by which they can learn and demonstrate their competence. The flaws with an industry standard penetration test methodology, however, are that companies may not like all of the methods set up in it, and it can be difficult to determine which method truly acts as an industry standard.