RE: OSSTMM how good is it?

From: Steve Armstrong (stevearmstrong@logicallysecure.com)
Date: Tue May 16 2006 - 08:01:12 EDT


Rik

I believe the OSSTMM is a good framework, in an industry with few public
standards.

As to its resected nature, I cannot answer that however, I point to fact
it is probably one of the few standards the customer can get for
themselves and read. Thereby showing your practices and procedures are
open to scrutiny (if required) and your testing should be all
encompassing and thus reducing his risk of future unknown security
issues.

It is good because it challenges the perception that many IT Security
Testing Companies will agree to testing without publishing the depth and
vigour to which they will undertake that testing. Many just come and do
'stuff' and give you a report and an invoice.

Please note I am not disrespecting these companies, I am perhaps
oversimplifying the controls that place on releasing what they actually
do - usually for fear of competition.

However, you state you are undertaking IS1&3 but not 2 why is that. And
given the nature of IS1&3 why are you using CRAMM?

Finally, are you looking to use the OSSTMM as in internal testing
standard or one to level contracts against? I ask because your
questioning alludes to a non technical level of expertise but you are
discussing a methodology to undertake technical testing.

Steve A

Reader and user of IS1-5 but NOT CRAMM
User of OSSTMM

---------------------------------------------------

UK IT Security Forum - www.logicallysecure.com/forum

------------------------------------------------------------------------
--------------------------

-----Original Message-----
From: rik kershaw-moore [mailto:rkm@tsiolkovsky.co.uk]
Sent: 16 May 2006 06:47
To: pen-test@securityfocus.com
Subject: OSSTMM how good is it?

Can I ask what people think of the OSST and the Methodology laid down in
the OSSTM Manual?

Another question, especially for those UK residents - how well respected
is the OSST Methodology?

I am thinking of including this in our standard internal dest practice
set.

We aleady use the HMG InfoSec Standards 1 & 3 and CRAMM for Risk
Assessment, the ITIL Security Model for Security Change & Incident
Management but we are currently lacking when it comes to a decent
Testing Standard.

Yours,

Rik Kershaw-Moore, ITPC-HMG..

--
This message has been scanned for viruses and dangerous content by
MailScanner, and is believed to be clean.
------------------------------------------------------------------------
------
This List Sponsored by: Cenzic
Concerned about Web Application Security? 
Why not go with the #1 solution - Cenzic, the only one to win the
Analyst's 
Choice Award from eWeek. As attacks through web applications continue to
rise, 
you need to proactively protect your applications from hackers. Cenzic
has the 
most comprehensive solutions to meet your application security
penetration 
testing and vulnerability management needs. You have an option to go
with a 
managed service (Cenzic ClickToSecure) or an enterprise software 
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service
can 
help you: http://www.cenzic.com/news_events/wpappsec.php 
And, now for a limited time we can do a FREE audit for you to confirm
your 
results from other product. Contact us at request@cenzic.com for
details.
------------------------------------------------------------------------
------
------------------------------------------------------------------------------
This List Sponsored by: Cenzic
Concerned about Web Application Security? 
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's 
Choice Award from eWeek. As attacks through web applications continue to rise, 
you need to proactively protect your applications from hackers. Cenzic has the 
most comprehensive solutions to meet your application security penetration 
testing and vulnerability management needs. You have an option to go with a 
managed service (Cenzic ClickToSecure) or an enterprise software 
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can 
help you: http://www.cenzic.com/news_events/wpappsec.php 
And, now for a limited time we can do a FREE audit for you to confirm your 
results from other product. Contact us at request@cenzic.com for details.
------------------------------------------------------------------------------


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:58 EDT