Penetration testing methodologies and frameworks — Quiz

Penetration testing methodologies and frameworks

1. The Open Source Security Testing Methodology Manual (OSSTMM) version 3.0 is distinct because its primary focus is on: (Choose one answer) a) Providing a step-by-step guide for exploiting web application vulnerabilities b) Validating compliance with the Payment Card Industry Data Security Standard (PCI-DSS) c) Measuring the operational attack surface and providing factual, data-driven security metrics d) Mapping adversary behaviors to the tactics and techniques of known threat groups

2. The NIST SP 800-115 methodology divides penetration testing into four main phases. What are they? (Choose one answer) a) Pre-engagement, Intelligence Gathering, Exploitation, Reporting b) Planning, Discovery, Attack, Reporting c) Preparation, Asset Identification, Threat Assessment, Risk Assessment d) Reconnaissance, Scanning, Gaining Access, Maintaining Access

3. The OWASP Web Security Testing Guide (WSTG) is best described as: (Choose one answer) a) A high-level framework for managing organizational risk across all operational channels b) A comprehensive checklist specifically for testing the security of web applications and APIs c) A mandatory standard for all organizations that process online payments d) A knowledge base used primarily for threat hunting and modeling advanced persistent threats

4. How is the MITRE ATT&CK framework primarily used by security teams? (Choose one answer) a) As a complete penetration testing methodology to plan and execute every phase of a test b) To understand real-world adversary TTPs for improving detection, response, and red teaming c) As a scientific methodology for calculating Risk Assessment Values (RAVs) for an organization d) To define the legal rules of engagement and scope for a security assessment

5. Based on the comparison table, which methodology or framework is considered mandatory and prescriptive for organizations handling payment card data? (Choose one answer) a) PTES (Penetration Testing Execution Standard) b) OSSTMM (Open Source Security Testing Methodology Manual) c) PCI-DSS (Payment Card Industry Data Security Standard) d) ISSAF (Information Systems Security Assessment Framework)