| 1. Open Source Security Testing Methodology Manual
2. From Wikipedia, the free encyclopedia The OSSTMM is a manual on security testing and analysis created by Pete Herzog and provided by ISECOM, the non-profit Institute for Security and Open Methodologies. The methodology itself that covers what, when, and where to test is free to use and distribute under the Open Methodology License (OML). The manual, the OSSTMM as a whole, is also free, released under the Creative Commons 2.5 Attribution-NonCommercial-NoDerivs license. The manual states, "All things being interconnected, this methodology is free precisely because we prefer to be as well." The latest version, OSSTMM 3, states it is "a collection of verified facts which are beneficial and progressive towards the improvement of operational security. Unlike ‘best practices’ the information within has been verified to be the correct action for better security." The OSSTMM is also as much a philosophy on operational security as it is a methodology, stating, "In art, the end result is a thing of beauty, whereas in science, the means of reaching the end result is a thing of beauty. When a security test is an art then the result is unverifiable and that undermines the value of a test. One way to assure a security test has value is to know the test has been properly conducted. For that you use a formal methodology. This is it."
4. History The story is that the OSSTMM began as a sketch Pete Herzog made during a train ride to find a means of security testing in accordance to the scientific method. As he got off the train, he met his wife and said to her, "I think I figured out something big." The first version published in January 2001 and was 12 pages long. Comparatively, the newest one, OSSTMM 3 RC17 is over 150 pages at last count and is still missing the templates. The creator of the OSSTMM, Pete Herzog, started ISECOM along with famed photographer and computer scientist, Marta Barceló, to support the OSSTMM and keep it free of commercial influence as it gained popularity. Originally, the first OSSTMM was released under the website ideahamster.org, a gift from Pete’s brother until they could afford a domain of their own. They called the community group Ideahamsters, a term for people who never stop coming up with new ideas. Later, as Herzog recounts, in a March 2003 interview with SecurityFocus journalist Federico Biancuzzi, "ISECOM began in January 2001 with the OSSTMM. Actually, the OSSTMM created ISECOM. The truth is really that I wanted to create a plan on how to test security because I didn’t think it was being done right and I wanted to improve it. So I searched the net only to find everyone referring to this proprietary methodology they have that’s so great. But I couldn’t know because I couldn’t see it. I was suspicious that it was true because I had seen the reports of some of the companies that said that they had some great proprietary methodology and there was nothing special about what was essentially vulnerability scanner outputs re-dressed as reports. So once I finished something, I posted it to the web and asked the public to give feedback. I had no idea that I was not the only one in need of such a thing. So here we are, five years later and the OSSTMM is at around four million downloads since its inception – with legislation requiring its use in some countries and some government employees and contractors around the world being required to be certified in it just to prove they can really do their jobs. And it’s still growing at a fast and shiny pace. We’re trying to staff-up to handle this all but that’s a problem in itself." The OSSTMM itself explains the history as such: "Since its start at the end of 2000, the OSSTMM quickly grew to encompass all security channels with the applied experience of thousands of reviewers. By 2005, the OSSTMM was no longer considered just a best practices framework. It had become a methodology to assure security was being done right at the operational level. As security audits became mainstream, the need for a solid methodology became critical. In 2006, the OSSTMM changed from defining tests based on solutions such as firewall tests and router tests to a standard for those who needed a reliable security test rather than just a compliance report for a specific regulation or legislation." "With Version 3, the OSSTMM encompasses tests from all channels – Human, Physical, Wireless, Telecommunications, and Data Networks. A set of security metrics, called Risk Assessment Values (RAVs), provide a powerful tool that can provide a graphical representation of state, and show changes in state over time. This integrates well with a ‘dashboard’ for management and is beneficial for both internal and external testing, allowing a comparison/combination of the two. Quantitative Risk Management can be done from the OSSTMM Audit report findings, providing a much improved result due to more accurate, error free results. The OSSTMM includes information for project planning, quantifying results, and the rules of engagement for performing security audits. The methodology can be easily integrated with existing laws and policies to assure a thorough security audit through all channels." 5. What You Need To Know The first chapter of OSSTMM 3 is called What You Need To Know. It is an introduction to all the new research including the verification of best practices for making a security test according to the scientific method. The writing is less formal than academic research documents to make it more accessible to a wider audience. It starts: "This manual is about operational security (OPSEC). It is about measuring how well security works. While this may seem plain and obvious: ‘Don’t we all do operational security?’ it is a distinction which must be made because most compliance objectives require no more than matching processes and configurations to a set of best practices. This manual and the testing process it outlines requires that you make no assumptions that a security solution, product, or process will behave during operational use as it has been designated to do so on paper. More simply, this methodology will tell you if what you have does what you want it to do and not just what it was told to do." The chapter provides new and somewhat revolutionary ways to view security, controls, and vulnerabilities. The manual even states how to apply the definitions and why they are so different from the industry-provided definitions, "To define security in a way it is possible and achievable in a non-biased way." 6. What You Need To Do The second chapter is called What You Need To Do. It covers how to start a security test, 7 steps for defining the test, the rules of engagement for professional testing, an improved method of testing called the Four Point Process, the hypothesis of a security test called the Trifecta, handling errors, self assessments for quality control, and handling disclosures of vulnerabilities. It states plainly, "Fact does not come from the grand leaps of discovery rather from the small, careful steps of verification." The chapter starts: "Where do you start? Testing is a complicated affair and with anything complicated, you approach it in small, comprehensible pieces to be sure you don’t make mistakes." "Conventional wisdom says complexity is an enemy of security. However, it is only at odds with human nature. Anything which is made more complex is not inherently insecure. Consider a computer managing complex tasks. The problem as we know it is not that the computer will make mistakes, confuse the tasks, or forget to complete some. As more tasks are added to the computer, it gets slower and slower, taking more time to complete all the tasks. People, however, do make mistakes, forget tasks, and purposely abandon tasks which are either not important or required at the moment. So when testing security, what you need to do is properly manage any complexity. This is done by properly defining the security test." The rest of the manual follows that chapter with the details on doing a test. Following chapters cover:
7. Related Projects OSSTMM research has entered into other ISECOM projects as well, using the unique philosophy and distinctions between security and safety to bring clarity to other areas.
8. Certification & Training ISECOM pays for its independent research through professional certifications. Individual and company certifications are available through ISECOM for the applied skills in professional security testing, analysis, methodical process, and professional standards as outlined in the OSSTMM’s Rules of Engagement. Individuals may get certified in the OPST (OSSTMM Professional Security Tester), the OPSA (OSSTMM Professional Security Analyst), the OPSE (OSSTMM Professional Security Expert), OWSE (OSSTMM Wireless Security Expert), and Certified Trust Analyst (CTA). These certifications are the official ISECOM professionals certifications showing the knowledge and skills required to perform their respective roles properly and in accordance to the OSSTMM. The certifications each require up to a 4 hour open-book skills exam to prove ability over rote memorization. The company certification is the ISECOM Licensed Auditor (ILA) which requires the company to sign a contract of ethical compliance to the Rules of Engagement from the OSSTMM and an ISECOM certified security staff. 9. External links |
This entry is from Wikipedia, the leading user-contributed encyclopedia. It may not have been reviewed by professional editors (see full disclaimer) . Donate to wikipedia.
Licence : Wikipedia. This article is licensed under the GNU Free Documentation License.
