Yesterday I was reading about pentesting and came to know about pentesting methodologies and there's something which is bugging me.

"A pentest methodology is a repeatable process that other pentesters on a team can duplicate to deliver consistent quality."

Pentesting is used to detect the exploitable vulnerabilities which could've gone undetected in surface scans but how consistency works and is maintained by following the similar sequence?

CodePudding user response：

"Security is neither a product nor a service"

You can have standards, methodologies and ways of working around security, but each pentest is going to be different and it'll depend on the application you are trying to break into.

OWASP, for instance, has several methodologies that can help to establish a consistent process regardless of the tested applications, with varying techniques, tooling and exploits.

CodePudding user response：

You can flow the same phase to process penetration testing, but you have use different technique, tools in each phase. So the results are different too.