ISSAF

The Information Systems Security Assessment Framework (ISSAF, https://sourceforge.net/projects/isstf/) is, for all intents and purposes, a mothballed project that nevertheless provides great information. It can help understand an entire enterprise-grade assessment process, which not only includes pen testing, but also covers incident and change control programs, Security Operations (SecOps) procedures, and the physical security of the environment, for instance. What the ISSAF lacks more current application testing guidance, it makes up for this in providing sample NDAs, contracts, questionnaires, and other useful templates that can help craft the appropriate deliverables.

Of note to us is that the ISSAF covers these discipline areas, among others:

• Project management, guidelines, and best practices throughout the assessment
• The assessment methodology
• Technical control assessment
• Unix /Linux, Windows, Novell, and database system security assessments
• Web application security assessments
• Internet user security and social engineering
• The legal aspects of security assessment projects
• Templates for Non-Disclosure Agreement (NDA) and security assessment contracts
• A Request for Proposal (RFP) template
• Some guidelines for penetration testing lab design (covered later in this chapter)