Penetration Testing Execution Standards (PTES)

It’s all too common for AppSec companies to claim they offer vulnerability assessments when in fact they are just doing pentests. They likely use some automated scanner like Burp or Nexus, run a scan, and present the client with a vulnerability report.

However, this is not our approach we take at Forward Security. Our vulnerability assessments go beyond pentests. In fact, we adhere to the official Penetration Testing Execution Standards (PTES), which comprises four distinct stages:

  1. Intelligence gathering (Discovery)
  2. Threat modelling
  3. Vulnerability analysis – While this can be automated using scanners, it does not constitute pentesting in its entirety. Pentesting delves deeper. It requires creating threat scenarios and attempting their exploitation.
  4. Exploitation

The Ocean’s Eleven Approach to Penetration Testing

In the movie Ocean’s Eleven, before they target the casino, they invest significant time in gathering intel, devising a plan, and running simulations of the heist.

Discovery – Their first step is intelligence gathering. They familiarize themselves with every aspect of the casino, study the blueprints, identify all backdoors and security checkpoints.

Threat Modelling – Next comes threat modelling where they determine all possible attack pathways into the casino vault. This stage involves planning exercises on paper before any actual testing begins.

They construct models and repeatedly run simulations. This allows them to test hypotheses and implement their plan in a semi-real environment before attempting the actual break-in.

Vulnerability Analysis – Prior to breaking into the casino vault, they conduct a vulnerability analysis to identify weaknesses—does the door have a lock? Are there bars on windows? Are ventilation ducts large enough for someone to pass through?

This information further helps in their preparation with formulating their attack strategy.

Exploitation – Once they’ve conducted vulnerability analysis and validated their threat model, they attempt to exploit it.

The process might look something like this:

  • The door doesn’t have a lock, great!
  • During threat modelling, we identified a potential attack pathway through the casino’s back alley. If we enter through that door, then proceed down the hallway, the next door doesn’t have a lock.
  • We confirmed all these elements during our vulnerability analysis—the locks were indeed absent.

This is how pentesting should be conducted.

Elevate Your Security with our 4-stage Application Security Risk Assessment

We employ a four-stage Application Security Risk Assessment:

✅ Discovery – Understanding an application’s architecture is crucial to ensure no potential threats are overlooked during the assessment process.

Our security consultants collaborate closely with your team to understand your application to inform our approach.

This may include hands-on design workshops and comprehensive documentation for your organization.

✅ Threat Modelling – Based on the security design output, we conduct threat modelling to identify key threat scenarios specific to your application.

We use the STRIDE scheme to classify threat scenarios and an enhanced DREAD model to assign specific impact and likelihood levels for each identified issue. These will be reviewed with your team.

✅ Pentesting – Using OWASP’s detailed ASVS assurance criteria, our security team constructs and executes test cases using both manual and automated methods, including source code analysis where applicable.

This enables us to verify each threat scenario and identify actual risks posed to your business.

✅ Finalization – Upon completion of our Application Security Risk Assessment (ASRA), your team will receive a detailed report outlining all security risks based on impact and likelihood.

This makes it easy for your team to prioritize what’s most important for your organization. The report also includes recommended controls to support business risk management decisions.

If securing your application is a priority for you, connect with us for a free consultation.