Pentest Methodologies: OWASP, PTES, NIST at nFlo | Our Standards

How we apply OWASP, PTES, NIST in practice

Write to us

A professional penetration test is not a chaotic “hack”, but a methodical and structured process. To ensure comprehensive, repeatable and high-quality testing, security experts around the world rely on recognized methodologies and standards. At nFlo, we place great importance on following industry best practices, integrating guidelines from organizations such as OWASP, PTES standards and NIST frameworks into our operations. This approach guarantees our clients a reliable and thorough assessment of their security status.

Why is it important to use recognized methodologies in penetration testing?

Using standard methodologies brings a number of benefits to both the testing team and the client. First, it ensures comprehensiveness – methodologies such as PTES or NIST define the key phases of a test, from reconnaissance to reporting, helping to ensure that no important area is missed. Second, it ensures repeatability and consistency – using the same framework allows the results of tests conducted at different times to be compared and ensures a uniform standard of work.

Third, relying on recognized standards increases the credibility and transparency of the process. The client is assured that the test is being conducted according to best practices and not according to the tester’s arbitrary ideas. Methodologies also often include guidelines on ethics and risk minimization. For the nFlo team, the use of standards is a cornerstone of professionalism and demonstrates our commitment to providing the highest quality services.

How does nFlo use OWASP guidelines (e.g. Top 10, ASVS) in application testing?

The Open Web Application Security Project (OWASP) organization is a global leader in web and mobile application security. Its projects, such as the OWASP Top 10, OWASP Application Security Verification Standard (ASVS) and OWASP Mobile Security Project, are fundamental resources for pentesters specializing in this area. At nFlo, we make intensive use of these resources during application testing.

The OWASP Top 10, a list of the ten most critical web application security risks, is our starting point and checklist for every web test. We check vulnerabilities such as Injection (e.g. SQL Injection, Cross-Site Scripting – XSS), Broken Authentication, Sensitive Data Exposure and other categories from the Top 10 list, tailoring testing techniques to the specific application under test.

We go further, however, using more detailed guidelines such as OWASP ASVS. This is a framework that defines requirements for security verification at various levels, allowing for a more granular and in-depth assessment. We also use the OWASP Testing Guide, which provides detailed testing techniques for specific categories of vulnerabilities. We do the same for mobile applications, relying on the OWASP Mobile Top 10 and Mobile Security Testing Guide (MSTG).

How does the PTES framework structure the pentesting process in nFlo?

The Penetration Testing Execution Standard (PTES) is a methodology that focuses on defining the key phases and steps that make up a comprehensive penetration test. It provides a basic structure for the nFlo team to organize our work and ensure a methodical approach at each stage of the assignment. PTES distinguishes seven main phases:

  1. Pre-engagement Interactions: Defining the scope, objectives, rules and logistics of the test in collaboration with the client.
  2. Intelligence Gathering/Reconnaissance: Gathering information about a target from publicly available sources (OSINT) and through active scanning.
  3. Threat Modeling: Analysis of collected information to identify potential attack vectors and vulnerabilities.
  4. Vulnerability Analysis: Proactively searching for specific security vulnerabilities in systems and applications.
  5. Exploitation: Attempting to exploit identified vulnerabilities to gain access or escalate privileges.
  6. Post-Exploitation Activities: Assessing the value of acquired systems, attempting to continue to move the network and maintain access.
  7. Reporting: Detailed documentation of test runs, vulnerabilities found, risk assessments and recommendations.

Using the PTES structure allows us to systematically go through all the relevant phases of the test, ensuring that our actions are logical, well-documented and lead to reliable conclusions. At the same time, we flexibly adapt the specific techniques within each phase to the specifics of the assignment.

How do NIST guidelines (e.g., SP 800-115) affect nFlo’s approach to testing?

The National Institute of Standards and Technology (NIST) is a US government agency that publishes numerous cybersecurity standards and guidelines that are widely used around the world. Of particular relevance to nFlo is NIST Special Publication 800-115, “Technical Guide to Information Security Testing and Assessment.”

NIST SP 800-115 provides a comprehensive framework for planning, conducting and reporting on various types of security testing, including penetration testing. Among other things, it defines various testing techniques (e.g., documentation review, log analysis, network scanning, penetration testing), roles and responsibilities, and key elements of the test management process.

The NIST guidelines help us ensure that our processes comply with recognized standards, especially in the context of projects for organizations that must meet specific regulatory requirements or internal policies based on NIST frameworks (e.g., the NIST Cybersecurity Framework). We use NIST SP 800-115 as a valuable resource for methodical planning and execution of testing activities and as a benchmark for our procedures.

Does nFlo also use its own refined testing procedures?

Relying on standards such as OWASP, PTES and NIST is the foundation, but the real value of nFlo’s services lies in combining this framework with the deep expertise and experience of our team. Standard methodologies provide structure, but do not replace the creativity, intuition and specialized skills of pentesters.

Our experts are constantly refining their techniques, keeping abreast of the latest trends in cyber attacks and developing proprietary tools and scripts to more effectively identify vulnerabilities, especially those that are non-standard or technology-specific. Within the framework of general methodologies, we apply our own refined checklists and test procedures for specific types of systems (e.g. Active Directory, AWS cloud environments, OT/ICS systems).

This combination of proven international standards with the unique expertise and continuous development of the nFlo team’s competencies allows us to offer penetration testing services at the highest level. We ensure not only compliance with best practices, but also in-depth analysis tailored to the individual needs and risks of our clients.

The value of using methodologies

nFlo’s expertise: combining standards with the team’s own procedures and experience provides unique value.

Comprehensiveness: a structured approach (e.g., according to PTES) ensures that all key aspects of the test are covered.

Credibility: Being based on recognized standards (OWASP, NIST) builds trust and confirms professionalism.

Specialization: the use of dedicated guidelines (e.g. OWASP for applications) guarantees in-depth analysis.

Consistency: a standardized framework ensures repeatability and uniformity in the tests performed.

Free consultation and pricing

Contact us to discover how our end-to-end IT solutions can revolutionize your business, increasing security and efficiency in every situation.

I have read and accept the privacy policy.
About the author:
Łukasz Gil

Łukasz is an experienced specialist in IT infrastructure and cybersecurity, currently serving as a Key Account Manager at nFlo. His career demonstrates impressive growth, from client advisory in the banking sector to managing key accounts in the field of advanced IT security solutions.

Łukasz approaches his work with a focus on innovation, strategic thinking, and client-centricity. His method of managing key accounts is based on building strong relationships, delivering added value, and tailoring solutions to individual needs. He is known for his ability to combine technical expertise with business acumen, enabling him to effectively address clients' complex requirements.

Łukasz is particularly passionate about cybersecurity, including EDR and SIEM solutions. He focuses on delivering comprehensive security systems that integrate various aspects of IT protection. His specialization spans New Business Development, Sales Management, and implementing security standards such as ISO 27001.

He is actively committed to personal and professional development, continuously expanding his knowledge through certifications and staying updated on industry trends. Łukasz believes that the key to success in the dynamic IT world lies in constant skill enhancement, an interdisciplinary approach, and the ability to adapt to evolving client needs and technologies.

Other articles by the author