SECURITY ASSESSMENT FRAMEWORKS
Know the methodology. Own the engagement.
No single framework covers everything. Engagement methodologies define how to run a test. Testing guides define what to test in a domain. Compliance frameworks define how to scope and report. Taxonomies define the vocabulary. Intel-led frameworks define how to simulate real adversaries. They're complementary, not competing.
ENGAGEMENT METHODOLOGIES
How to run an assessment from scoping through reporting.
Penetration Testing Execution Standard
Community-driven (pentest-standard.org)
Information Systems Security Assessment Framework
OISSG (Open Information Systems Security Group)
Open Source Security Testing Methodology Manual
ISECOM (Institute for Security and Open Methodologies)
DOMAIN-SPECIFIC TESTING
What to test within a specific technology domain.
Web Security Testing Guide
OWASP (Open Worldwide Application Security Project)
Mobile Application Security Testing Guide
OWASP (Open Worldwide Application Security Project)
Application Security Verification Standard
OWASP (Open Worldwide Application Security Project)
COMPLIANCE & GOVERNANCE
How to scope, govern, and report the testing process.
THREAT TAXONOMY
The vocabulary — classifying what threats exist.
ADVERSARY BEHAVIOR CATALOG
The shared language for describing how adversaries operate.
INTELLIGENCE-LED RED TEAMING
Simulating real adversaries using real threat intelligence.