Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,330 --> 00:00:02,820 Instructor: There are numerous resources, standards, 2 00:00:02,820 --> 00:00:05,220 and guidelines that are available for you to use 3 00:00:05,220 --> 00:00:07,290 when planning your penetration tests. 4 00:00:07,290 --> 00:00:10,320 This includes the Open Web Application Security Project, 5 00:00:10,320 --> 00:00:12,300 known as OWASP; 6 00:00:12,300 --> 00:00:15,300 the Open Source Security Testing Methodology Manual, 7 00:00:15,300 --> 00:00:17,490 known as OSSTMM; 8 00:00:17,490 --> 00:00:20,130 the Information System Security Assessment Framework, 9 00:00:20,130 --> 00:00:22,050 known as ISSAF; 10 00:00:22,050 --> 00:00:24,600 and the Penetration Testing Execution Standard, 11 00:00:24,600 --> 00:00:26,760 known as PTES. 12 00:00:26,760 --> 00:00:30,300 First, we have the Open Web Application Security Project, 13 00:00:30,300 --> 00:00:32,040 known as OWASP. 14 00:00:32,040 --> 00:00:34,230 The Open Web Application Security Project 15 00:00:34,230 --> 00:00:36,030 is a nonprofit foundation 16 00:00:36,030 --> 00:00:38,610 that works to improve the security of software. 17 00:00:38,610 --> 00:00:41,340 The foundation provides community-led software projects, 18 00:00:41,340 --> 00:00:44,160 education and training, and it's also become the source 19 00:00:44,160 --> 00:00:47,820 for developers and professionals who want to secure the web. 20 00:00:47,820 --> 00:00:49,920 OWASP has created the framework for testing 21 00:00:49,920 --> 00:00:52,530 during each phase of the software development process 22 00:00:52,530 --> 00:00:54,720 as a way to increase the awareness of web security 23 00:00:54,720 --> 00:00:56,520 across the industry. 24 00:00:56,520 --> 00:00:57,810 One way they do this is 25 00:00:57,810 --> 00:01:01,260 by providing the OWASP web security testing guide. 26 00:01:01,260 --> 00:01:03,600 This testing guide is a comprehensive guide 27 00:01:03,600 --> 00:01:07,080 to testing the security of web applications and web services 28 00:01:07,080 --> 00:01:09,000 that is created by the collaborative efforts 29 00:01:09,000 --> 00:01:12,540 of cyber security professionals and dedicated volunteers. 30 00:01:12,540 --> 00:01:15,150 This guide provides a framework of best practices 31 00:01:15,150 --> 00:01:16,770 that are used by penetration testers 32 00:01:16,770 --> 00:01:19,200 and organizations all over the world, 33 00:01:19,200 --> 00:01:23,790 and it can be found for free at OWASP.org. 34 00:01:23,790 --> 00:01:26,970 But probably the top thing that OWASP is known for 35 00:01:26,970 --> 00:01:28,830 is its Top 10 list. 36 00:01:28,830 --> 00:01:32,070 The OWASP Top 10 is a standard awareness document 37 00:01:32,070 --> 00:01:35,430 for developers and web application security experts. 38 00:01:35,430 --> 00:01:37,350 It represents a broad consensus 39 00:01:37,350 --> 00:01:40,560 about the most critical security risks to web applications 40 00:01:40,560 --> 00:01:43,470 and provides information on how to prevent them. 41 00:01:43,470 --> 00:01:48,120 For example, the Top 10 for 2021 has broken access control, 42 00:01:48,120 --> 00:01:50,700 cryptographic failures, injections, 43 00:01:50,700 --> 00:01:53,850 insecure design, security misconfigurations, 44 00:01:53,850 --> 00:01:55,860 vulnerable and outdated components, 45 00:01:55,860 --> 00:01:58,500 identification and authentication failures, 46 00:01:58,500 --> 00:02:00,570 software and data integrity failures, 47 00:02:00,570 --> 00:02:02,820 security logging and monitoring failures, 48 00:02:02,820 --> 00:02:06,390 and server-side request forgery as its Top 10. 49 00:02:06,390 --> 00:02:07,620 Now, for each of these, 50 00:02:07,620 --> 00:02:09,930 you can read a description of the vulnerability, 51 00:02:09,930 --> 00:02:11,100 how to prevent it, 52 00:02:11,100 --> 00:02:13,890 example attack scenarios complete with code, 53 00:02:13,890 --> 00:02:17,820 links to relevant common weakness enumeration or CWE numbers 54 00:02:17,820 --> 00:02:19,140 and a list of references 55 00:02:19,140 --> 00:02:22,080 for how to test for those during an engagement. 56 00:02:22,080 --> 00:02:24,810 Second, we have the Open-Source Security Testing 57 00:02:24,810 --> 00:02:28,800 Methodology Manual, known as the OSSTMM. 58 00:02:28,800 --> 00:02:31,560 The Open-Source Security Testing Methodology Manual 59 00:02:31,560 --> 00:02:34,500 provides a methodology for a thorough security test 60 00:02:34,500 --> 00:02:38,310 which they refer to as an OSSTMM audit. 61 00:02:38,310 --> 00:02:40,860 This audit is used to create an accurate measurement 62 00:02:40,860 --> 00:02:43,170 of security at an operational level 63 00:02:43,170 --> 00:02:44,940 inside of an organization. 64 00:02:44,940 --> 00:02:47,190 This is one that is void of any assumptions 65 00:02:47,190 --> 00:02:49,470 or anecdotal evidence as well. 66 00:02:49,470 --> 00:02:51,930 This methodology is designed to be consistent 67 00:02:51,930 --> 00:02:54,240 and repeatable using the same principles 68 00:02:54,240 --> 00:02:56,130 that a scientific experiment might. 69 00:02:56,130 --> 00:02:57,720 The project is open-source, 70 00:02:57,720 --> 00:02:59,820 so it allows for any penetration tester 71 00:02:59,820 --> 00:03:03,060 to contribute ideas for performing more accurate, actionable 72 00:03:03,060 --> 00:03:05,040 and efficient security tests. 73 00:03:05,040 --> 00:03:07,140 It's also free to disseminate and use 74 00:03:07,140 --> 00:03:08,970 because it's not the intellectual property 75 00:03:08,970 --> 00:03:11,730 of any single corporation or government. 76 00:03:11,730 --> 00:03:13,710 The manual aims to be a straightforward tool 77 00:03:13,710 --> 00:03:15,960 for the implementation and documentation 78 00:03:15,960 --> 00:03:18,360 of penetration or security tests. 79 00:03:18,360 --> 00:03:22,680 The real focus in the OSSTMM is auditing, validation, 80 00:03:22,680 --> 00:03:25,050 and verification by using facts 81 00:03:25,050 --> 00:03:28,170 and not anyone's opinion during the engagement. 82 00:03:28,170 --> 00:03:30,780 Also, with that being said, the latest version 83 00:03:30,780 --> 00:03:34,650 of the OSSTMM as of right now is version three, 84 00:03:34,650 --> 00:03:37,650 which was released all the way back in 2010. 85 00:03:37,650 --> 00:03:38,940 So, keep that in mind 86 00:03:38,940 --> 00:03:41,880 because it can be a little bit outdated. 87 00:03:41,880 --> 00:03:44,430 Third, we have the Information System Security 88 00:03:44,430 --> 00:03:48,390 Assessment Framework known as the ISSAF. 89 00:03:48,390 --> 00:03:49,860 This methodology was created 90 00:03:49,860 --> 00:03:52,440 by the Open Information System Security Group, 91 00:03:52,440 --> 00:03:54,990 known as OISSG. 92 00:03:54,990 --> 00:03:58,290 The ISSAF is a bit out of date as well 93 00:03:58,290 --> 00:04:00,930 but it can still be a useful reference. 94 00:04:00,930 --> 00:04:02,070 Now, one of the benefits 95 00:04:02,070 --> 00:04:05,070 of the Information System Security Assessment Framework 96 00:04:05,070 --> 00:04:08,040 is how it links individual penetration testing steps 97 00:04:08,040 --> 00:04:10,740 with the relevant penetration testing tools. 98 00:04:10,740 --> 00:04:12,150 The goal of this framework was 99 00:04:12,150 --> 00:04:13,830 to provide a comprehensive guide 100 00:04:13,830 --> 00:04:15,780 when conducting a penetration test. 101 00:04:15,780 --> 00:04:18,510 But like I said, it is a bit outdated 102 00:04:18,510 --> 00:04:21,089 because it was last updated in 2015, 103 00:04:21,089 --> 00:04:23,760 and many of its supporting documents haven't been updated 104 00:04:23,760 --> 00:04:25,830 since 2005. 105 00:04:25,830 --> 00:04:28,620 To download the ISSAF documentation, 106 00:04:28,620 --> 00:04:32,430 you can simply go to Google and enter the term "ISSAF" 107 00:04:32,430 --> 00:04:34,710 and you're gonna find their source forge repository 108 00:04:34,710 --> 00:04:36,120 with all the files compressed 109 00:04:36,120 --> 00:04:38,310 as an archive for easy downloading. 110 00:04:38,310 --> 00:04:41,370 Included in that is about 35 to 40 files 111 00:04:41,370 --> 00:04:43,290 and each one is focused on a different area 112 00:04:43,290 --> 00:04:45,690 of penetration testing, such as routers, 113 00:04:45,690 --> 00:04:49,290 storage area networks, SQL injections, physical security, 114 00:04:49,290 --> 00:04:50,580 and many more. 115 00:04:50,580 --> 00:04:52,620 It can be a good starting point or reference 116 00:04:52,620 --> 00:04:54,690 if you want to build your methodology as well, 117 00:04:54,690 --> 00:04:56,760 but overall, it is outdated. 118 00:04:56,760 --> 00:04:57,840 And so only bringing up 119 00:04:57,840 --> 00:05:00,900 because it is listed on your exam objectives. 120 00:05:00,900 --> 00:05:01,733 Fourth, 121 00:05:01,733 --> 00:05:04,410 we have the Penetration Testing Execution Standard, 122 00:05:04,410 --> 00:05:06,570 known as PTES. 123 00:05:06,570 --> 00:05:09,270 Now, the Penetration Testing Execution Standard 124 00:05:09,270 --> 00:05:10,980 was developed to cover everything related 125 00:05:10,980 --> 00:05:13,890 to a penetration test from the initial communication 126 00:05:13,890 --> 00:05:15,690 and the reasoning behind that test 127 00:05:15,690 --> 00:05:17,400 all the way through intelligence gathering 128 00:05:17,400 --> 00:05:18,900 and threat modeling phases 129 00:05:18,900 --> 00:05:20,880 where the testers are working behind the scenes 130 00:05:20,880 --> 00:05:22,260 in order to get a better understanding 131 00:05:22,260 --> 00:05:23,730 of the tested organization, 132 00:05:23,730 --> 00:05:25,830 and then into the vulnerability research, 133 00:05:25,830 --> 00:05:28,620 exploitation and post exploitation phases 134 00:05:28,620 --> 00:05:31,500 where the technical security expertise of the testers comes 135 00:05:31,500 --> 00:05:33,930 to play and combines with the business understanding 136 00:05:33,930 --> 00:05:35,220 of that engagement, 137 00:05:35,220 --> 00:05:37,560 and finally into the reporting phase 138 00:05:37,560 --> 00:05:40,050 which captures the entire process in a manner 139 00:05:40,050 --> 00:05:41,490 that makes sense to the customer 140 00:05:41,490 --> 00:05:44,010 and provides them the most value from it. 141 00:05:44,010 --> 00:05:46,620 Now, the Penetration Testing Execution Standard 142 00:05:46,620 --> 00:05:49,200 was designed around seven main sections: 143 00:05:49,200 --> 00:05:50,850 pre-engagement interactions, 144 00:05:50,850 --> 00:05:52,170 intelligence gathering, 145 00:05:52,170 --> 00:05:53,250 threat modeling, 146 00:05:53,250 --> 00:05:54,810 vulnerability analysis, 147 00:05:54,810 --> 00:05:55,950 exploitation, 148 00:05:55,950 --> 00:05:57,240 post exploitation, 149 00:05:57,240 --> 00:05:58,620 and reporting. 150 00:05:58,620 --> 00:06:01,320 The goal of the Penetration Testing Execution Standard 151 00:06:01,320 --> 00:06:02,490 was to create a new standard 152 00:06:02,490 --> 00:06:05,790 that provided both businesses and security service providers 153 00:06:05,790 --> 00:06:07,470 with a common language and scope 154 00:06:07,470 --> 00:06:09,900 when you're performing a penetration test. 155 00:06:09,900 --> 00:06:12,600 Now, the Penetration Testing Execution Standard 156 00:06:12,600 --> 00:06:15,810 was first drafted all the way back in 2009. 157 00:06:15,810 --> 00:06:16,740 And honestly, 158 00:06:16,740 --> 00:06:19,020 it appears to be another good idea project 159 00:06:19,020 --> 00:06:20,400 that has since been abandoned, 160 00:06:20,400 --> 00:06:23,460 or at least relegated to the we'll-work-on-it-someday pile 161 00:06:23,460 --> 00:06:24,690 by its founders. 162 00:06:24,690 --> 00:06:28,410 Like ISSAF and OSSTMM, 163 00:06:28,410 --> 00:06:30,930 I'm really covering it here for the sake of completeness 164 00:06:30,930 --> 00:06:33,660 because it is listed by name in the exam objectives 165 00:06:33,660 --> 00:06:35,100 by CompTIA. 166 00:06:35,100 --> 00:06:37,710 Now, when it comes to high quality, well-maintained, 167 00:06:37,710 --> 00:06:39,420 and up to date resources, 168 00:06:39,420 --> 00:06:41,640 I personally like to stick with OWASP 169 00:06:41,640 --> 00:06:44,430 or the Open Web Application Security Project 170 00:06:44,430 --> 00:06:46,410 because they're constantly updating their materials 171 00:06:46,410 --> 00:06:47,760 and their website. 172 00:06:47,760 --> 00:06:51,210 Now, that being said, remember OWASP specializes 173 00:06:51,210 --> 00:06:52,980 in web application security, 174 00:06:52,980 --> 00:06:54,630 so it is not useful if you're looking 175 00:06:54,630 --> 00:06:56,910 at traditional infrastructure or endpoints 176 00:06:56,910 --> 00:06:58,680 during your penetration test. 177 00:06:58,680 --> 00:07:00,390 For those, you're gonna have to rely 178 00:07:00,390 --> 00:07:05,313 on something like OSSTMM, ISSAF, or PTES. 13191