Picking your favorite testing framework

In the race to establish leadership in the fields of penetration testing and web app pen testing in particular, several organizations, companies, and councils have sprung up. Some of these organizations offer a product-neutral methodology, while others have perspectives that unabashedly drive their recommended pen testing approach or framework. This testing framework's contents and format will vary greatly, so we'll need to sort through the options and see which one makes sense.

Government supported centers and institutes such as the United States Computer Emergency Readiness Teams (US CERT), Computer Security Resource Center (CSRC) at the National Institute of Standards and Technology (NIST), and the newly established European Union Agency for Network and Information Security (https://www.enisa.europa.eu ) tend to be focused on guidelines for defenders, that offer some guidance that can certainly be turned into test requirements and focus areas.

So, back to the potential paths; picking a framework often comes down to one's comfort zone and familiarity with the program or perspective. For many industries, compliance and regulations will also drive the choice. There is no right answer, but the selection can have an impact on the architecture and result in strengths and weaknesses in the end result. Many a times our own training budgets, schedules, product set, and backgrounds will dictate how we arrive at our process.  We may get there through a certification track, a project affiliation, or through something organic to our employer. Let's take a look at some of the most popular methodologies.