Penterep: Comprehensive Penetration Testing with Adaptable Interactive Checklists

Thumbnail Image
Files
1s2.0S0167404825000884main.pdf(2.03 MB)
Date
2025-03-17
Authors
Lazarov, Willi
Šeda, Pavel
Martinásek, Zdeněk
Kümmel, Roman
ORCID
0000-0001-6820-8391
 0000-0002-6689-1980
 0000-0002-6504-5619
Advisor
Referee
Mark
Journal Title
Journal ISSN
Volume Title
Publisher
Elsevier
Altmetrics
Abstract
In the contemporary landscape of cybersecurity, the importance of effective penetration testing is underscored by NIS2, emphasizing the need to assess and demonstrate cyber resilience. This paper introduces an innovative approach to penetration testing that employs interactive checklists, supporting both manual and automated tests, as demonstrated within the Penterep environment. These checklists, functioning as a quantifiable measure of test completeness, guide pentesters through methodological testing, addressing the inherent challenges of the security testing domain. While some may perceive a limitation in the dependency on predefined checklists, the results from a presented case study underscore the criticality of methodological testing. The study reveals that relying solely on fully automated tools would be inadequate to identify all vulnerabilities and flaws without the inclusion of manual tests. Our innovative approach complements established methodologies, such as PTES, OWASP, and NIST, providing crucial support to penetration testers and ensuring a comprehensive testing process. Implemented within the Penterep environment, our approach is designed with deployment flexibility (both on-premises and cloud-based), setting it apart through an overview comparison with existing tools aligned with state-of-the-art penetration testing approaches. This flexible and scalable approach effectively bridges the gap between manual and automated testing, meeting the increasing demands for effectiveness and adaptability in penetration testing.
Description
Keywords
Checklists, Cybersecurity, Ethical hacking, Methodology, Penetration testing, Reporting, Vulnerability assessment
Citation
COMPUTERS & SECURITY. 2025, vol. 154, issue 7, p. 1-16.
https://www.sciencedirect.com/science/article/pii/S0167404825000884
Document type
Peer-reviewed
Document version
Published version
Date of access to the full text
Language of document
en
Study field
Comittee
Date of acceptance
Defence
Result of defence
Document licence
Creative Commons Attribution-NonCommercial 4.0 International
http://creativecommons.org/licenses/by-nc/4.0/
DOI
10.1016/j.cose.2025.104399
URI
https://hdl.handle.net/11012/250881
Collections
Ústav telekomunikací
Citace PRO