EVALUATION OF FRAMEWORKS
First, six methodologies/frameworks were selected for potential use. The selections were classified into either a
methodology or framework category respectively by way of gap analysis to establish whether or not framework
or methodology characteristics were present focusing primarily on the field of penetration testing (see table 2).
Table 1 summarises the gap analysis. Original classification (pre-evaluation) and post evaluation classifications
are shown. The evaluation classifications illustrated in table 1
are an ordinal scale, for example; framework
encapsulates methodology and
methodology encapsulates tools, techniques, and resources. In addition
frameworks that have included methodology in a particular framework are identified.
We arrived at an
individual evaluation based on theoretical analysis of each framework/methodology. Each framework or
methodology underwent analysis to determine whether or not framework or methodology characteristics were
present (or absent).
Table 1: Evaluation Matrix
From the gap analysis it was possible to develop a taxonomy of penetration testing
specific frameworks or
methodologies whereby suitable candidate methodologies or frameworks can be identified to facilitate their use
in practice or research. We found that some frameworks were indeed frameworks in the accepted sense of the
word, whereas others were simple collections of tools without a discernible underlying ontology. We felt that
this was an important distinction because novice pen testers would benefit from the additional support provided
by a mature framework.
Table 2: Classification of Penetration Testing Frameworks and Methodologies.
Dostları ilə paylaş: