PTES, remaining impartial, and insisting on high standards

The PTES (Penetration Testing Execution Standard) is standard that a small group of highly motivated and passionate practitioners have created (and yours truly). As such, it is designed to define how a penetration test should be executed – from start to finish. We tried not to skip a single element. We worked tirelessly to make sure that the standard does not reference any particular vendor or product, as we all believe that a proper penetration test is not about the tools, but more about the content and delivery.
The standard has survived several years of scrutiny and a few rounds of editing and improvements, and have never ever leaned to a specific industry player.
It has been by now adopted by the PCI council as a reference to what a penetration test is, it has been acknowledged by the British Standards Institute and placed in the same class as other standards, often receiving higher praise for its impartiality, practicality and coverage.
For some reason, in the past week or so I was approached by two different vendors, in attempts to either use their platform or writeup about how their suite of products provide “the best coverage for the PTES”. I’m sure that I’m not alone in this.
Just to be clear, I’m including the (slightly modified) answer below, which by now is also the “official” line of the core PTES founding group.

Hi [vendor],
Thanks for reaching out. Unfortunately, the PTES as a standard is not going to endorse any specific product or service. We have a guide section that offers approaches to the execution of the standard (http://www.pentest-standard.org/index.php/PTES_Technical_Guidelines) and I’m sure that your products can fit into _SOME_ of these areas.
I’d suggest avoiding an attempt to portray any product suite as “filling the needs of penetration testing standard” as it would be bound to be criticized and proven otherwise. Additionally, as an impartial member of the standard founders, we are all committed to avoiding any endorsement or participation in a product or vendor specific writeup.
Thanks, Ian

The standard is written for us. Practitioners, customers, organization, anyone and everyone who’s dealing with penetration testing. It is not about a specific product, or even a specific approach or methodology for testing. It’s about defining expectations, and delivery bars. It’s about setting up and insisting on a high standard. Not even a “minimal bar” for delivery. It is designed so that when it is adhered to, the delivery will be well above a “minimal standard”. We do not settle for minimums.
Please don’t settle on your end either.

Leave a Reply