Industry Methodologies

Open Source Security Testing Methodology Manual (OSSTMM)

The Open Source Security Testing Methodology Manual (OSSTMM) is a comprehensive and open framework for conducting security tests and assessments. It provides a structured approach to evaluate the security of systems, networks, processes, and physical security controls. OSSTMM covers a wide range of security domains, including information security, operational security, and human security.

The manual outlines best practices for ethical hacking, risk assessment, and security auditing, ensuring that security professionals have a standardized methodology to follow. Its goal is to help organizations measure and improve their security posture while remaining transparent and consistent in their testing processes.

The methodology focuses primarily on how these systems, applications communicate, so it includes a methodology for:

  • Telecommunications (phones, VoIP, etc.)

  • Wired Networks

  • Wireless communications

Advantages

  • Covers a wide range of testing strategies in-depth.

  • Includes specific strategies for targeted areas like telecommunications and networking.

  • Flexible and adaptable to an organization’s specific needs.

  • Provides a standard methodology for penetration testing across systems and applications.

Disadvantages

  • The framework is complex, detailed, and uses unique definitions, making it difficult to understand.

https://www.isecom.org/OSSTMM.3.pdf

OWASP

OWASP is a community-driven framework designed specifically to test the security of web applications and services. It is frequently updated, providing comprehensive reports that highlight the top ten security vulnerabilities, along with guidance on testing approaches and remediation strategies.

Advantages

  • Easy to learn and implement.

  • Actively maintained with regular updates.

  • Covers all stages of an engagement, including testing, reporting, and remediation.

  • Specializes in web applications and services.

Disadvantages

  • Vulnerability types in web applications may overlap, making it unclear which specific vulnerability is present.

  • Does not offer guidance for specific software development life cycles (SDLCs).

  • Lacks accreditation such as CHECK.

LogoOWASP Foundation | Open Source Foundation for Application Security

NIST Cybersecurity Framework 1.1

The NIST Cybersecurity Framework is a widely-used framework designed to help organizations improve their cybersecurity standards and manage risks from cyber threats. It is popular due to its thoroughness and applicability across sectors, from critical infrastructure (e.g., power plants) to commercial enterprises. However, it provides limited guidance on specific methodologies for penetration testers.

Advantages

  • By 2020, it was estimated to be used by 50% of American organizations.

  • Highly detailed in setting cybersecurity standards to help mitigate cyber threats.

  • Frequently updated to reflect current security challenges.

  • NIST offers accreditation for organizations that adopt the framework.

  • Can be used alongside other cybersecurity frameworks for enhanced protection.

Disadvantages

  • Multiple iterations of NIST frameworks can make it difficult for organizations to choose the right one.

  • Weak auditing policies make it harder to determine how breaches occur.

  • The framework does not adequately address cloud computing, which is increasingly critical for modern organizations.

LogoCybersecurity FrameworkNIST

NCSC Cyber Assessment Framework (CAF)

The Cyber Assessment Framework (CAF) is a comprehensive framework consisting of fourteen principles designed to evaluate the risk of various cyber threats and an organization’s defenses. It is particularly relevant for organizations that provide "vitally important services and activities," such as critical infrastructure and banking. The framework focuses on key areas including: Data Security, System Security, Identity and Access Control, Resiliency, Monitoring, Response and Recovery Planning.

Advantages:

  • Backed by a government cybersecurity agency, providing credibility and authority.

  • Offers accreditation for organizations that meet its standards.

  • Covers a broad range of topics with fourteen principles addressing security, response, and recovery.

Disadvantages:

  • As a newer framework, it may not yet be fully integrated into industry practices, and organizations might need time to adapt.

  • Based on principles rather than specific rules, which can be less straightforward compared to other frameworks.

LogoCAF Objective A - Managing Security Risk
PreviousPentestingNextScopes of Testing

Last updated