Occasionally I run across comments against the use of a Penetration test methodology.  It seems every time I do, my blood pressure rises.  The arguments against methodologies usually go along these lines:

• Methodologies restrict the ability of a pentester from doing his/her job
• You cannot script how an attacker might attack a system; therefore you cannot script how a pentester should attack a system
• Methodologies prevent a pentester from getting into the “mindset” of a hacker
• Methodologies are only for beginner pentesters
• Methodologies are only for managers and clients; otherwise, they waste time.
• Pentesting is an Art, not a science

In my personal opinion, these types of arguments can be boiled down into one thought:  “Oh, the cleverness of me.”

Most of the time, I never hear particular examples as to what within a methodology bothers people, or is flat-out wrong.  The responses (including the ones above) tend to be overtly opinionated, and not subjective at all.  Let us take a quick look at the steps within a pentest as proposed by the ISSAF:

• Information Gathering
• Network Mapping
• Vulnerability Identification
• Penetration
• Gaining Access and Privilege Escalation
• Enumerating Further
• Compromise Remote Users/Sites
• Maintaining Access
• Cover the Tracks

All these steps are very valid (based on personal experience as a pentester), and I would contend that most good penetration testers that do not use a methodology still perform these same steps, as needed.  In fact, I would contend that if those who do not use a methodology would actually delve into the details within each of these steps, they will find they use at least 90% of the procedures presented.

The real difference is that those who do not follow a published methodology do not realize they actually - in fact - follow a methodology; their own.  These people may like to think they are capable of conducting penetration tests better than most, because they have an edge others don’t - an artistic edge. Well, I hate to be the bearer of bad tidings, but if you can repeat a process, it is no longer an art form, it is science.  And sciences can be quantified and improved on.  Art cannot.  Which is the real downfall for those who do not support the use of methodologies… their resistance to actually approaching pentesting as a science weakens the study, and prevents others from gaining in a shared knowledge.

Let’s be honest.  People who are really good at penetration testing aren’t artists.  They are individuals who have studied and practiced their skills, not graced with a unique gift.  Sure, there may be some characteristics in their personality that allows quicker progress, but just like the military, you have to practice the way you fight, and penetration testing is no exception.  The “art” of war taught at colleges across the globe, and is constantly reevaluated to improve tactics and overcome obstacles.  The same type of effort should be put forth toward pentesting, which is a war in its own right.

We have an opportunity to improve our trade.  Methodologies can allow us to “stand on the shoulders of Giants,” by sharing our knowledge to add to the common body of knowledge.  Let us not forgo this opportunity because of misplaced egoism.
Comments?  I’d love to hear them.