This chapter is the first of 3 aimed at helping organisations and individuals achieve their goals and obtain maximum value from Penetration Testing and Security Assessments. Unlike much of the available literature on the subject, it has been written using the minimum of jargon and takes a UK/European viewpoint rather than a US-centric one. It is concordant with the regulatory, legal, and commercial environment at time of publication, though ultimately shares a weakness with all static texts; the document represents a snapshot in time. If you require updated information, or have questions or corrections for the authors, please address them using the contact details at the end of this document. Feedback is most welcome.
In this the first of three chapters, we introduce the reader to some standard terminology for talking about Penetration Testing and briefly cover the questions that most organisations and individuals will have about the activity, not having previously embarked on Security Assessment or Penetration Testing project. We also take a step back and look at where Penetration Testing fits within the wider context of Security Assurance, and discover what it can and cannot deliver to the IT security function of your organisation. In the final part of this chapter, we look at the different philosophies and methods of delivery for these projects, in preparation for our second chapter, Selecting a Penetration Testing Provider.
This document is in PDF format. To view it click here.