Edith
Cowan University
Edith Cowan University
Research
Online
Research Online
Australian Information Security Management
Conference
Conferences, Symposia and Campus Events
2015
Selection of penetration testing methodologies: A
comparison
Selection of penetration testing methodologies: A comparison
and
evaluation
and evaluation
Aleatha Shanley
Edith Cowan University
Michael N. Johnstone
Security
Research Institute, Edith Cowan University
Follow this and additional works at:
https://ro.ecu.edu.au/ism
Part of the
Information
Security Commons
DOI:
10.4225/75/57b69c4ed938d
13th Australian Information Security Management Conference, held from the 30 November – 2 December, 2015
(pp. 65-72), Edith Cowan
University Joondalup Campus, Perth, Western Australia.
This Conference Proceeding is posted at Research Online.
https://ro.ecu.edu.au/ism/182
SELECTION OF PENETRATION TESTING METHODOLOGIES: A
COMPARISON AND EVALUATION
Aleatha Shanley
1
, Michael N. Johnstone
1,2
1
School of Computer and Security Science,
2
Security Research Institute
Edith Cowan University, Perth, Australia
{a.shanley, m.johnstone}@ecu.edu.au
Abstract
Cyber security is fast becoming a strategic priority across both governments and private organisations. With
technology abundantly available, and the unbridled growth in the size and complexity of information systems,
cyber criminals have a multitude of targets. Therefore, cyber security assessments are becoming common
practice as concerns about information security grow. Penetration testing is one strategy used to mitigate the
risk of cyber-attack. Penetration testers attempt to compromise systems using the same tools and techniques as
malicious attackers thus attempting to identify vulnerabilities before an attack occurs. This research details a
gap analysis of the theoretical vs. the practical classification of six penetration testing frameworks and/or
methodologies. Additionally, an analysis of two of the frameworks was undertaken to evaluate each against six
quality characteristics. The characteristics were derived from a modified version of an ISO quality model.