Penetration Testing - DIB SCC CyberAssist

NIST defines penetration testing as security testing in which evaluators mimic real-world attacks in an attempt to identify ways to circumvent the security features of an application, system, or network. Penetration testing often involves issuing real attacks on real systems and data, using the same tools and techniques used by actual attackers. Most penetration tests involve looking for combinations of vulnerabilities on a single system or multiple systems that can be used to gain more access than could be achieved through a single vulnerability. (Source)

ISACA Journal – Planning for Information Security Testing – A Practical Approach
This article describes the steps involved with planning a security test of your network.
National Cyber Security Centre – Penetration Testing: Advice on How to Get the Most from Penetration Testing
This guidance helps with understanding the proper commissioning and use of penetration tests.
NIST SP 800-115 Technical Guide to Information Security Testing and Assessment
This NIST Special Publication is a guide to the basic technical aspects of conducting information security assessments.
Open Web Application Security Project (OWASP) Top 10
The OWASP Top 10 is an awareness document for web application security. It represents a broad consensus about the most critical security risks to web applications. Project members include a variety of security experts from around the world who have shared their expertise to produce this list.
PCI Data Security Standard – Penetration Testing Guidance
This guidance is intended for entities that are required to conduct a penetration test.
SANS Offensive Operations Training and Resources
This is a link to avaliable SANS penetration testing courses.
SANS Whitepaper – Scoping Security Assessments – A Project Management Approach
This whitepaper discusses how to properly define, verify, and control the scope of your security assessment.

CMMC Level 1 Self-Assessment Guide
This document provides self-assessment guidance for conducting Cybersecurity Maturity Model Certification (CMMC) assessments for Level 1.
CMMC Level 2 Assessment Guide
This document provides assessment guidance for conducting Cybersecurity Maturity Model Certification (CMMC) assessments for Level 2.
CMMC Level 3 Assessment Guide
This document provides assessment guidance for conducting Cybersecurity Maturity Model Certification (CMMC) assessments for Level 3.
FedRAMP – Penetration Test Guidance
The document provides guidelines regarding planning and conducting penetration testing and analyzing and reporting on the findings.
Institute for Security and Open Methodologies – The Open Source Security Testing Methodology Manual
This is a methodology to test the operational security of physical locations, human interactions, and all forms of communications such as wireless, wired, analog, and digital.
NIST SP 800-171A Assessing Security Requirements for Controlled Unclassified Information
The purpose of this publication is to provide procedures for assessing the CUI requirements in NIST Special Publication 800-171.
Open Web Application Security Project (OWASP) – Free for Open Source Application Security Tools
OWASP's mission is to help the world improve the security of its software.
Open Web Application Security Project (OWASP) – Testing Guide v4
This link provides information about one methodology for web application penetration testing
Open Web Application Security Project (OWASP) – Testing Tools
This link from OWASP provides a list of web security testing tools.
The Penetration Testing Execution Standard
The penetration testing execution standard covers all aspects of conducting a penetration test.