Pen Testing Methatology
I just got a job as a Junior Pen Tester at an Accounting Firm. They been outsourcing there pen test for awhile now. So they hire myself and another guy to start doing in house pen testing. My boss has alot of certs and experience but he wanted my opinon on software, Pen Test Mmethatologies, to use and a few other ideas, they have to be PCI approved. I have been thinking about using "Saint" does anyone have any good ideas? Here are some Ideas that I am going to present to him in two weeks. Is there a software or application that could speed up my process. Or is there a website that can point me in the right direction.
1) Engagement Planning (attack tree, signed agreements, contacts)
2) Acceptable Testing Windows
3) Assessment Activities (manual and automated)
4) Tools Used for each Activities
5) Purpose of each Activities
6) Output of each Activities
7) False Positive identification and removal
Reporting (don’t spend too much time on report preparation, we can figure that out when we sell an engagement)
Also, I need to make sure we weave in network vulnerability testing tasks as well as application tasks. We also need to have two service offerings 1) vulnerability assessment and 2) penetration tests. I also want to include processes that use automated tools as well as manual techniques.