The OWASP Top 10 is a standard for developers and web application security. It represents a broad consensus about the most critical Top 10 security risks to web applications.
Penetration testing will never be an exact science where a complete list of all possible
issues that should be tested can de defined. Indeed penetration is only an appropriate
technique to test the security of web applications under certain circumstances. For
information about what these circumstances are, and to learn how to build a testing
framework and which testing techniques you should consider, we recommend reading the
OWASP Testing Framework Part One (http://www.owasp.org). Risk Management Guide
for Information Technology Systems, NIST 800-30 1
describes vulnerabilities in
operational, technical and management categories. Penetration testing alone does not
really help identify operational and management vulnerabilities.
Pentest Details in Numbers