Building a Comprehensive Penetration Testing Methodology
We often see clients struggling with the new requirements for penetration testing with regard to PCI compliance. The intent behind the new penetration testing methodology is to define the means and the methods by which a penetration test will be executed in your organization’s environment. Your organization’s penetration testing methodology should define the things that a penetration tester needs to do in order for your organization to have a comprehensive PCI assessment.
11.3 – Develop a formal penetration testing methodology; a comprehensive methodology is vital to meeting compliance standards. If you don’t have a penetration testing methodology, start creating one now.
11.3.1 – Execute a formal statement of work that is mapped to your penetration testing methodology. Everything comes back to your methodology, that’s why it’s so important.
11.3.2 – Penetration testing must be executed against statement of work which is developed based on your penetration testing methodology.
11.3.3 – After a penetration test is completed, you must correct items that were exploited. Items that are not exploited must be fed into your Vulnerability Identification and Management Program. In regards to PCI compliance, penetration testing is not considered a pass or fail.
11.3.4 – If you are using segmentation in order to minimize the scope of your PCI compliance obligations, then the penetration tester must test the boundaries of segmentation to validate that the segmentation is effective.
When building your organization’s penetration testing methodology, there are several things to consider. This webinar’s panelist, Jeff Wilder, gives listeners ten topics to include when putting a penetration testing methodology together, which include:
- Coverage for the entire CDE
- Coverage of perimeter of the network
- Coverage of any critical systems
- Testing from inside the corporate WAN in an attempt to access cardholder data in an unauthorized way
- Testing from the Internet in an attempt to access internal systems and systems that reside within the DMZ in an unauthorized way
- Testing to validate any segmentation in place
- Testing of any controls that establish scope reduction
- Tests must be performed against the application layer and include those items in the OWASP and CWE top 25 known vulnerabilities
- Tests against all network-layer devices and assets
- Include a review and consideration of threats and vulnerabilities experienced in the last 12 months
There’s a lot to learn about penetration testing, but we’re here to help. To learn more, contact us today or check out additional penetration testing resources: