What are phases in the Information Systems Security Assessment Framework (ISSAF)?

FTR (Formal Technical review) is a software quality assurance activity that helps the junior QA testers identify errors, rectify them (if possible) and ensure that the software runs smoothly.

New vulnerabilities are discovered all the time, and it is possible that the application contains vulnerabilities that are not yet known.

A known environment penetration test assesses the security of a system or network where detailed information about the infrastructure, configurations, and assets is readily available to the tester. In this type of test, the tester has prior knowledge of the target environment, mimicking a scenario where an insider or authenticated user attempts to exploit vulnerabilities. This allows for a more focused assessment of specific weaknesses, with the aim of identifying and mitigating potential risks associated with internal threats.

A type of penetration test that would only provide the tester with limited information such as domain names and IP addresses in the scope is known as a 'Black Box' test. In a Black Box test, the tester has no prior knowledge of the system being tested and relies solely on publicly available information to assess its security. This limited information approach mimics the perspective of an external attacker, making it a valuable assessment method for identifying vulnerabilities from an outsider's viewpoint.

These phases provide a structured framework for conducting security assessments. The Penetration Testing Execution Standard (PTES) includes seven phases: Pre-engagement, Intelligence Gathering, Threat Modeling, Vulnerability Analysis, Exploitation, Post-exploitation, and Reporting.