SRI Security Research Institute, Edith Cowan University, Perth, Western Australia
Cyber security is fast becoming a strategic priority across both governments and private organisations. With technology abundantly available, and the unbridled growth in the size and complexity of information systems, cyber criminals have a multitude of targets. Therefore, cyber security assessments are becoming common practice as concerns about information security grow. Penetration testing is one strategy used to mitigate the risk of cyber-attack. Penetration testers attempt to compromise systems using the same tools and techniques as malicious attackers thus attempting to identify vulnerabilities before an attack occurs. This research details a gap analysis of the theoretical vs. the practical classification of six penetration testing frameworks and/or methodologies. Additionally, an analysis of two of the frameworks was undertaken to evaluate each against six quality characteristics. The characteristics were derived from a modified version of an ISO quality model.