Penetration Testing Execution Standard – PTES is the name of this standard that will help to have a clear path for pentester to check different vulnerabilities and provide customers a high quality formal standard to address different gaps.
Chris Nickerson, a Denver-based penetration tester who is spearheading the standard, estimated that 80 per cent of penetration testers do not perform even adequate tests, while charging top dollar for their services.
“Pen tests become a vortex that suck money out of people, and the reputation of the industry has gone up and down,” Nickerson, who runs Lares Consulting, said. Testers should hand a report on vulnerabilities to the client so that weaknesses may be fixed, but many of the reports are currently too simplistic or confusing.
The group of people that have been working on this project includes:
- Chris Nickerson, CEO – Lares Consulting.
- Dave Kennedy, Director of Information Security – blog Diebold.
- Chris John Riley, IT Security Analyst – blog Raiffeisen Informatik GmbH.
- Eric Smith, Partner – Lares Consulting.
- Iftach Ian Amit, VP Consulting – blog Security Art.
- Andrew Rabie, Wizard – Avon Products Inc.
- Stefan Friedli, Senior Security Consultant – scip AG.
- Justin Searle, Senior Security Analyst – InGuardians.
- Brandon Knight, Senior Security Engineer – Amazon.
- Chris Gates, Senior Security Consultant – blog Rapid7.
- Joe McCray, CEO – Strategic Security.
- Carlos Perez, Lead Vulnerability Research Engineer – Tenable Security.
- John Strand, Owner – Black Hills Information Security.
- Steve Tornio, Senior Consultant – Sunera LLC.
- Nick Percoco, Senior Vice President – SpiderLabs at Trustwave.
- Dave Shackelford, Security Consultant, SANS Instructor.
- Val Smith – Attack Research.
- Robin Wood, Senior Security Engineer – blog RandomStorm.
- Wim Remes, Security Consultant – EY Belgium.
PTES is still at the alpha-stage “understanding” (mind map) so if you have an experience in the peneteration testing you can participate to the project with ideas and thought that you feel they add a value to this Standard.
The first draft is hoped for release at the Blackhat Las Vegas conference in August this year. While you can attend at Source Boston 2011 a panel that include some of the founders of the standard who will discuss how the standard is built and shaped by representatives from all segments of the industry.
make sure you subscribe to my RSS feed!