Home page logo

pen-test logo Penetration Testing mailing list archives

RE: ISSAF 0.2 release
From: "Omar A. Herrera" <omar.herrera () oissg org>
Date: Mon, 24 Apr 2006 09:04:56 +0100

Hi Stefano,

-----Original Message-----
From: Stefano Zanero [mailto:s.zanero () securenetwork it]

Omar A. Herrera wrote:
We are pleased to announce the release of draft 0.2 of the Information
Systems Security Assessment Framework (ISSAF).

Just to help me understand, what's the difference between this and the
more established OSSTMM ?


Thanks for pointing this out; It will be useful to clarify this publicly
since many others will probably have the same question. For that matter I
reproduce below parts of a conversation with John Kinsella involving members
of the OISSG and ISECOM. 

As in that occasion, I invite Pete Herzog and other ISECOM members to post
any further clarifications they deem appropriate.

I hope this helps to clarify related doubts. Further questions and comments
on this matter are most welcomed.

Best regards,

Omar Herrera
Chairman, ISSAF Steering Committee

-----Original Message-----
From: John Kinsella [mailto:jlk () thrashyour com]
Sent: Tuesday, November 01, 2005 3:59 AM
To: Omar A. Herrera
Subject: Re: OISSG call for participation

Omar - any comments on how you guys compare/compliment/differ to 
Might want to put that as a FAQ somewhere on the site...

We definitely will include this information in a FAQ, thanks for 
your comment. But for now I'll address the question.

ISECOM's OSSTMM is an excellent security testing methodology that 
focuses mainly on pentesting. It is a mature project whereas ISSAF 
has not yet reached a stable, for production use, stage.

It might seem that wee overlap in some areas, but there are 
differences that allow ISSAF and OSSTMM to complement each other.

In some sense (because of its nature), ISSAF pretends to be broader 
and more detailed, e.g. we have a section on how to assess AS400 
systems, network devices, etc. and we plan to include sections on 
how to do security assessments for handheld device configuration and 
smartcards. We try to include as more information as possible, such 
as detailed examples of testing techniques and some tool outputs.
From a less technical point of view, ISSAF will cover things like 
assessment of patch management, vulnerability management and version 
control management processes.

There are advantages and disadvantages to this approach; the 
advantage is that you will have something like a security wikipedia 
with information on how to conduct security assessments for a wide 
range of processes and systems. However, this implies that it will 
require frequent updates and a lot of effort to maintain.

OSSTMM, being a methodology, will be less affected by obsolescence 
issues, because you can apply the same methodology to several 
assessment engagements, using different techniques and tools. On the 
other hand, ISSAF is a framework and pretends to give you the latest 
information on techniques, tools, best practices and regulation 
issues to complement your assessment engagement, whether you use 
OSSTMM as your assessment methodology or any other.

We might work closely with ISECOM in the future as well. We are an 
open group and are definitely not opposed to that :-).

The opinion of Pete Herzog or any other members of ISECOM might also 
help to clarify things further (I'm CCing Pete and Balwant, because 
your question is interesting for both ISECOM and the OISSG). But for 
now, I hope this will answer the question.

Kind regards
Omar Herrera

This List Sponsored by: Cenzic

Concerned about Web Application Security? 
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's 
Choice Award from eWeek. As attacks through web applications continue to rise, 
you need to proactively protect your applications from hackers. Cenzic has the 
most comprehensive solutions to meet your application security penetration 
testing and vulnerability management needs. You have an option to go with a 
managed service (Cenzic ClickToSecure) or an enterprise software 
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can 
help you: http://www.cenzic.com/news_events/wpappsec.php 
And, now for a limited time we can do a FREE audit for you to confirm your 
results from other product. Contact us at request () cenzic com for details.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]