Hack Tool Repository

Categories Platforms Tools List Links News

Article: Results pentest questionnaire

This site is no longer maintained and kept for archiving purposes.

I am writing my thesis for my EDP auditor education. In my thesis I will compare the used methods and standards used by penetration testers with the method and standards used by the Dutch IT auditor association.

I need to know which methods and standards are used the most by penetration testers and how the final report looks like. To get my answers I have developed a short questionnaire about penetration testing. It asks questions about methodologies, standards, classification and reports.

You can still fill out the questionnaire if you haven't done so already: http://www.thesistools.com/web/?id=201555

Does the definition below cover the term penetration test? You can choose from 1-4, which stands for not, a bit mostly and totally. The definition above covers the term penetration test (Not - Totally) A penetration test is the controlled attempt at penetrating a computer system or network from “outside” in order to detect vulnerabilities. It employs the same or similar techniques to those used in a genuine attack.
1		13 (9.85 %)
2		39 (29.55 %)
3		59 (44.7 %)
4		21 (15.91 %)
n = 132 # 132

Penetration testing is security testing in which assessors mimic real-world attacks to identify methods for circumventing the security features of an application, system, or network. It often involves launching real attacks on real systems and data that use tools and techniques commonly used by attackers. Most penetration tests involve looking for combinations of vulnerabilities on one or more systems that can be used to gain more access than could be achieved through a single vulnerability. The definition above covers the term penetration test (Not - Totally)
1		6 (4.65 %)
2		19 (14.73 %)
3		58 (44.96 %)
4		46 (35.66 %)
n = 129 # 129

Penetration testing is the portion of security testing in which the evaluators attempt to circumvent the security features of a system. The evaluators may be assumed to use all system design and implementation documentation, which may include listings of system source code, manuals, and circuit diagrams. The evaluators work under the same constraints applied to ordinary users. The definition above covers the term penetration test (Not - Totally)
1		20 (15.63 %)
2		57 (44.53 %)
3		40 (31.25 %)
4		11 (8.59 %)
n = 128 # 128

A penetration test is a method of evaluating the security of a computer system or network by simulating an attack from a malicious source. The process involves an active analysis of the system for any potential vulnerabilities that could result from poor or improper system configuration, hardware or software flaws, or operational weaknesses in process or technical countermeasures. The intent of a penetration test is to determine the feasibility of an attack and the amount of business impact of a successful exploit, if discovered. The definition above covers the term penetration test (Not - Totally)
1		16 (12.4 %)
2		24 (18.6 %)
3		54 (41.86 %)
4		35 (27.13 %)
n = 129 # 129

A penetration test is a live test of the effectiveness of security defenses through mimicking the actions of real-life attackers. The definition above covers the term penetration test (Not - Totally)
1		13 (10 %)
2		24 (18.46 %)
3		52 (40 %)
4		41 (31.54 %)
n = 130 # 130

Which of the following penetration testing methodologies do you use frequently? Please specify to which extent you use the methodology. The Open Source Security Testing Methodology (OSSTM)
At least once a week		11 (18.03 %)
At least once a month		25 (40.98 %)
At least once a year		25 (40.98 %)
n = 61 # 61

Which of the following penetration testing methodologies do you use frequently? Please specify to which extent you use the methodology. NIST SP800-115
At least once a week		4 (7.84 %)
At least once a month		15 (29.41 %)
At least once a year		32 (62.75 %)
n = 51 # 51

Which of the following penetration testing methodologies do you use frequently? Please specify to which extent you use the methodology. Information Systems Security Assessment Framework (ISSAF)
At least once a week		6 (13.64 %)
At least once a month		14 (31.82 %)
At least once a year		24 (54.55 %)
n = 44 # 44

Which of the following penetration testing methodologies do you use frequently? Please specify to which extent you use the methodology. Penetration Testing Model by BSI
At least once a week		6 (15 %)
At least once a month		11 (27.5 %)
At least once a year		23 (57.5 %)
n = 40 # 40

Which of the following penetration testing methodologies do you use frequently? Please specify to which extent you use the methodology. Guideline for IS audits based on IT-Grundschutz
At least once a week		0 (0 %)
At least once a month		8 (22.22 %)
At least once a year		28 (77.78 %)
n = 36 # 36

Which of the following penetration testing methodologies do you use frequently? Please specify to which extent you use the methodology. Penetration Test Framework by www.vulnerabilityassessment.co.uk
At least once a week		6 (13.04 %)
At least once a month		15 (32.61 %)
At least once a year		25 (54.35 %)
n = 46 # 46

Which of the following penetration testing methodologies do you use frequently? Please specify to which extent you use the methodology. OWASP
At least once a week		30 (40 %)
At least once a month		30 (40 %)
At least once a year		15 (20 %)
n = 75 # 75

Which of the following penetration testing methodologies do you use frequently? Please specify to which extent you use the methodology. Developed in house
At least once a week		39 (53.42 %)
At least once a month		15 (20.55 %)
At least once a year		19 (26.03 %)
n = 73 # 73

Which of the following penetration testing methodologies do you use frequently? Please specify to which extent you use the methodology. Other
At least once a week		16 (34.78 %)
At least once a month		13 (28.26 %)
At least once a year		17 (36.96 %)
n = 46 # 46

Do you perform all steps (when applicable) specified in the method you use the most?
Yes		53 (46.9 %)
No		60 (53.1 %)
n = 113 # 113

Do you do more than specified in the methodology you use the most?
Yes		82 (72.57 %)
No		31 (27.43 %)
n = 113 # 113

A standard gives the expected results for a test. Which of the following standards do you use? (multiple answers possible)
OWASP		63 (68.48 %)
ISSAF		23 (25 %)
Developed in house		57 (61.96 %)
Other (please specify)		7 (7.61 %)
n = 92 # 150

Do you use a formal method to determine the classification of the found vulnerability?
MITRE-CVE		44 (48.35 %)
CVSS		37 (40.66 %)
RAV from OSSTMM		12 (13.19 %)
Security scanner defaults		30 (32.97 %)
Developed in house		40 (43.96 %)
Other (please specify)		8 (8.79 %)
n = 91 # 171

Which of the following aspects do you take into account when assessing the risk of a vulnerability?
Remote vs. local		68 (72.34 %)
Complexity to exploit		69 (73.4 %)
Availability to others		44 (46.81 %)
Information needed (like credentials)		62 (65.96 %)
Availability, integrity and confidentiality		73 (77.66 %)
Requirements of the organization		38 (40.43 %)
Importance of information or processes on the system		63 (67.02 %)
Nr of systems affected		28 (29.79 %)
Remediation effort		40 (42.55 %)
Other (please specify)		9 (9.57 %)
n = 94 # 494

Which of the following do you have in your report?
The name of the client		76 (82.61 %)
A description of the systems		72 (78.26 %)
Period of the test		85 (92.39 %)
Which method is used		73 (79.35 %)
Which criteria were used		68 (73.91 %)
Restrictions		63 (68.48 %)
Distribution restrictions		48 (52.17 %)
Who is responsible for what (Tester/Client relationship)		43 (46.74 %)
Summary of the tests		84 (91.3 %)
A description of the performed tests		69 (75 %)
Conclusion		80 (86.96 %)
Recommendations		85 (92.39 %)
Date of the report		83 (90.22 %)
Name and place of the tester		55 (59.78 %)
n = 92 # 984

Which of the following describes the management summary or the conclusion of your report the best:
A list of findings		25 (25.51 %)
A list of risks		28 (28.57 %)
A judgment about the state of security		45 (45.92 %)
n = 98 # 98

What is your gender
Male		90 (92.78 %)
Female		7 (7.22 %)
n = 97 # 97

Which of the following age groups are you in?
Under 18		2 (2.06 %)
18 to 25		13 (13.4 %)
25 to 35		51 (52.58 %)
35 to 45		19 (19.59 %)
45 to 60		10 (10.31 %)
60+		2 (2.06 %)
n = 97 # 97

In which sector do you work?
Financial		21 (21.88 %)
Consumer Goods and Retail		3 (3.13 %)
Professional Services		27 (28.13 %)
Trade and Industry		1 (1.04 %)
Energy and Utilities		2 (2.08 %)
Technology, Media and Telecom		25 (26.04 %)
Construction, Real Estate and Infrastructure		1 (1.04 %)
Public Sector		11 (11.46 %)
Non Profit		5 (5.21 %)
n = 96 # 96

If you work in the private sector, what type of company do you work for?
Self employed		10 (12.5 %)
Small local business		14 (17.5 %)
Large local business		11 (13.75 %)
Branch of national company		13 (16.25 %)
Branch of multi-national company		32 (40 %)
n = 80 # 80

How often do/did you perform a penetration test?
At least once a week		28 (29.79 %)
At least once a month		32 (34.04 %)
At least once a year		23 (24.47 %)
Not anymore		6 (6.38 %)
Never		5 (5.32 %)
n = 94 # 94

For how long have you been performing penetration tests
None		10 (10.64 %)
Less than a year		12 (12.77 %)
1-5 years		47 (50 %)
5-10 years		15 (15.96 %)
10+ years		10 (10.64 %)
n = 94 # 94

How big is the team you work in (and also perform penetration tests)?
None		8 (8.51 %)
Only me		17 (18.09 %)
2-5		43 (45.74 %)
6-10		15 (15.96 %)
11-20		6 (6.38 %)
21+		5 (5.32 %)
n = 94 # 94

Legend:
n = Number of respondents that has seen the queston
# = Number of received answers

Hits:

2260

Added:

2011-06-13 11:12:30

Updated:

2011-09-04 21:04:24