When a client hires my consulting firm to complete a project, there are a few pieces of collateral that I have grown to expect...
- Project Plan (and associated collateral)
- Process Guide
- Process Documentation (usually in UML/XML/BPMN 1.2, etc... though it really depends...)
- Project Notes (including interviews with SMEs, entrance/exit interviews, Post Implementation Reviews, etc...)
So when my buddy's company hires an "Ethical Hacker" to do a security assessment, I'm expecting:
- a list of vulnerabilities (itemized and ranked by priority and criticality/impact)
- the means to exploit them (exploit code location/repository)
- those that were exploited (identified by a unique identifier, like a MAC, IP, name, anything really...)
- those that were not exploited and the reasons why (like it'd bring down X service, etc...)
What I was not expecting was a Word document showing what they scanned and the "possible" risks. With nothing towards remediation... "It's not in the scope of the pen-test. [...] We make recommendations, and they make the changes..."
- Is there some "standard" penetration methodology or process out there?
- I'm sure, if it's like any other industry - there's tons of "standards" out there... But which ones are the "biggies" and how would one know if someone did a good job?
- Are there firms that "audit" the pen-testing companies?
I'm thinking there has to be some way to address the age-old question: