OSSTMMv3 is Released

Wednesday, December 15, 2010

Infosec Island Admin


Cross-posted from Detmar Liesen at http://kamerazukleber.tumblr.com

Finally! At last!

How long have I waited for the version three of the Open Source Security Testing Methodology Manual to be released!

You don’t even know what I am talking about? Then let me explain.
The OSSTMM is a methodology for testing and measuring operational information security. 

The OSSTMM is developed by the Institute for Security and Open Methodologies - ISECOM, whose co-director is Pete Herzog. Pete’s mission as creator and writer of the OSSTMM - as I understand it - is to bring a more scientific approach to infosec.

In a security test (or penetration test) you don’t want to evaluate the ingeniousness of the tester (whitehat hacker) but rather the security of your information technology infrastructure. You don’t want to deal with biased terms like “risk” but rather measure factual operational security.

Risk is not something to measure but something you decide for yourself.
It’s biased. A tester should not give me a biased view but rather a reproducible and comprehensive view of factual operational security.

I have these and those systems that run services x,y,z of which some might have vulnerabilities or not and I have security controls in place or not. Maybe the controls themselves have limitations (weaknesses or concerns) that reduce their effect, or not. The OSSTMMv3 takes into account all of these aspects.

Whether or not the remaining risk is acceptable for my own business is not something that a penetration tester or consultant could decide for me.

I have not yet read the whole manual in the current version but there are certainly many points that need further discussion or clarification.

But one thing is sure: the OSSTMM version 3 is the best, most complete, least biased security testing methodology we have today.

And since the ISO apparently considers the OSSTMM for a new ISO standard, this methodology will most probably be here to stay and evolve.

I am really happy about the release and I’d like to thank Pete and all contributors of the OSSTMM for their great work. I am not sure about the metrics - but the testing methodology is solid and the best I have seen to date.

The current release is available at www.osstmm.org.

Possibly Related Articles:
Enterprise Security Security Awareness
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.