Home page logo

pen-test logo Penetration Testing mailing list archives

Re: RE: OSSTMM how good is it?
From: offset <offset () svcroot net>
Date: Thu, 18 May 2006 03:01:05 +0200

I share your frustration and I will end up writing my own internal pen-testing methodology that I will use based on my 
own personal experience combining details from a lot of different sources (OSSTMM (high level, I wish v3 would be open 
to the public soon :-P ), ISSAF (I love the detail btw), methodologies used in various books on pen-testing (I'm amazed 
at how many books there are on the subject and they are all over the place in terms of quality)).

On the flip-side, you dont want to be "locked" into a stringent methodology without keeping yourself open to new attack 
vectors, perhaps that is one of the reasons that the existing methodologies are in the state they are today.  Call it 
"artistic" license or whatever, but many in the pen-testing field didnt exactly get to where they are today by 
following methodologies.  There are a lot of variables to consider and each pen-test engagement is different.

One of the more difficult parts of pen-testing is the breadth of knowledge required to be successful (networking, 
operating systems, internet fundamentals, development lifecycle, databases, name services, telecom, XML/Web services, 
the ability to write your own tools, etc, etc).  Many of the books cover the more "common" things to check but it is 
critical that you have access to people/resources should you come across something you've never seen before or need to 
get up-to-speed quickly (reading, testing in a lab, find others in your network of friends that can help, etc).


On Wed, May 17, 2006 at 12:38:39AM -0000, mythoughts () aboutosstmm com wrote:
I find this thread interesting because I have never seen an OSSTMM that has actually been finished, yet I have never 
seen any negative comments relating to it.

I think that it is a fantastic high level guide, but to actually use the methodology takes a huge amount of effort to 
figure out how to technically perform each of the steps.

I understand that it is supposed to be "upto the creativity of the pen tester" to figure out how to attack a target, 
but this doesn't provide a consistent result between pen testers, which is what the whole methodology is supposed to 
do - provide a consistent and comparable result for a client.

I haven't had a thorough look at ISSAF yet, but was impressed with the detail that it provides.

I am interested to hear what others think in relation to these comments.


This List Sponsored by: Cenzic

Concerned about Web Application Security? 
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's 
Choice Award from eWeek. As attacks through web applications continue to rise, 
you need to proactively protect your applications from hackers. Cenzic has the 
most comprehensive solutions to meet your application security penetration 
testing and vulnerability management needs. You have an option to go with a 
managed service (Cenzic ClickToSecure) or an enterprise software 
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can 
help you: http://www.cenzic.com/news_events/wpappsec.php 
And, now for a limited time we can do a FREE audit for you to confirm your 
results from other product. Contact us at request () cenzic com for details.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]