1C: Compare Standards and Methodologies Flashcards
1.2 Explain the importance of scoping and organizational/customer requirements. 2.1 Given a scenario, perform passive reconnaissance.
An organization aimed at increasing awareness of web security and provides a framework for testing during each phase of the software development process. Among other listed tools, they list the top 10 vulnerabilities.
Open Web Application Security Application Project (OWASP)
An organization founded in 1901, they exist to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life. One such publication includes SP 800-115.
The National Institute of Standards and Technology (NIST)
Written in 2000, this is a methodology to test the operational security of physical locations, workflow, human security testing, physical security testing, wireless security testing, telecommunication security testing, data networks security testing and compliance.
Open Source Security Testing Methodology Manual (OSSTMM)
This is a framework written in 2005 that details structured guidelines and best practices to accomplish a PenTesting exercise. The framework is obtained by downloading a RAR file containing 14 documents.
Information Systems Security Assessment Framework (ISSAF)
Developed by business professionals as a best practice guide to PenTesting, this framework has seven main sections that provide a comprehensive overview of the proper structure of a complete PenTest.
The Penetration Testing Execution Standard (PTES)
This is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations including attack paths exploited by APTs.
MITRE ATT&CK Framework
CompTIA defines this as: a risk management approach to QUANTIFYING VULNERABILITY DATA and then taking into account the degree of risk to different types of systems or information (AKA a system that provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity).
Common Vulnerability Scoring System (CVSS)
A scheme for identifying publicly disclosed vulnerabilities developed by MITRE and adopted by NIST. Each entry refers to specific vulnerability of a particular product and iscataloged with the name and description of the vulnerability.
Common Vulnerabilities and Exposures (CVE)
A community-developed database that is a dictionary of software-related vulnerabilities maintained by the MITRE Corporation.
Common Weakness Enumeration (CWE)