OSSTMM, PTES, and OWASP – Methodology for Security Testing & Assessment

With demands in the market exploding, many low-quality or unqualified firms and individuals are getting in on the penetration testing gold rush and delivering poor, inadequate or even downright dangerous results that are giving even legitimate providers a bad name. Some penetration
testers use their access to systems to subsequently hack the same targets they’d been paid to help securely. Others inadvertently damage servers or leave behind tools that could be used by malicious hackers making real attacks.

These and several untold stories lead to what some might call standardization of penetration testing – Penetration Testing Methodology.

What is a Penetration Testing Methodology.

A penetration testing methodology is simply the manner in which a penetration test is organized and executed. Methodologies exist to identify security vulnerabilities in an organisation.

Unlike in the early days of Cybersecurity, today we have quite a number of methodologies, each methodology outlines the process an organization may take to discover vulnerabilities. While companies can use their own custom processes, there are many readily established, industry-recognized methodologies that can be a great option for organizations to use. Some organizations use these developed methods as an “out of the box” solution, while others use them as a baseline to build on.

Examples of these readily established methodologies include; OSSTMM. OWASP. PTES.


The OSSTMM [Open Source Security Testing Methodology Manual]- Developed by ISECOM [institute for security and open methodologies] is a methodology to test the operational security of physical locations, human interactions, and all forms of communications such as wireless, wired, analogue, and digital. The latest version can be gotten from here

The idea is for the company to be assured of the baseline for the testing, regardless of which network security firm they hire. It sets forth detailed mandates regarding which aspects of the network to test, how to conduct the test, and how to analyze the results of the test.

This methodology is one of the most recognizable methodologies in the industry. The advantage of this methodology is that it could be used on any target irrespective of persons, location, specific system, or a process [or thousands of them]


The Penetration Testing Execution Standard which was started in 2009 as the brainchild of six information security consultants attempting to address deficiencies in the penetration testing community consists of seven (7) main sections.

  • Pre-engagement Interactions
  • Intelligence Gathering
  • Threat Modeling
  • Vulnerability Analysis
  • Exploitation
  • Post Exploitation
  • Reporting

The goal was to create a standard that would help both clients and testers by providing guidance about the tools, techniques, and elements to be covered in a general penetration test.

The downside of the PTES is that it does not provide a technical guideline on how to execute an actual pentest. Although PTES does not provide any technical guidelines as far as how to execute an actual pentest, there exists a technical guide to accompany the standard.


The Open Web Application Security Project (OWASP ) is an online community that produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security. The Open Web Application Security Project (OWASP) provides free and open resources. It is led by a non-profit called The OWASP Foundation.

Great publications and resources from this awesome guy include but is not limited to;

  • OWASP Top Ten – You weren’t expecting to pass by without seeing this right ; )
  • OWASP Software Assurance Maturity Model.
  • OWASP Testing Guide.
  • OWASP Development Guide.
  • OWASP Code Review Guide.

The OWASP Testing Guide is OWASP’s Penetration Testing methodology for penetration testers and organisations. Contrary to what you might have thought the OWASP Testing guide is not limited to Web Applications alone, depending on the type of application, the testing guide is further broken down into three;

  • OWASP Web Security Testing Guide – WSTG.
  • OWASP Mobile Security Testing Guide – MSTG.
  • OWASP Firmware Security Testing Methodology.


Looking at these various methodologies as earlier explained, shows that penetration testers and organizations can choose to select based on the pros and cons as they may be applicable to the scope of testing, size of the organization, and level of customization & tweak expected in terms of the result of the test.

By Emmanuel Akobe-Ajibolu

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to Top