Home page logo

pen-test logo Penetration Testing mailing list archives

From: "Andre Gironda" <andreg () gmail com>
Date: Sat, 13 Dec 2008 10:41:54 -0700

On Fri, Dec 12, 2008 at 2:38 PM, Chris Griffin <chris () logossecurity com> wrote:
I suggest that you read the full OSSTMM 3.0

Im currious why you say the OSSTMM "only" covers 10 controls.

Where was that quote?  :>  Any good audit framework contains a
taxonomy of tiered controls.  The top level of OSSTMM has 10, and I
guess that is a lot.  I probably shouldn't have included the word
"only" because it's misleading and inaccurate.  Thanks for the

Nice to have you on this list.  You should explain the difference
between regular IT Security Certifications and what ISECOM

From what I understand, OSSTMM 3.0 not only has certifications to run
the audits (and thus become auditors), but it also allows the auditors
to be audited themselves.  For those curious as to whether Qualys or
WhiteHatSec are running Chinese Banker malware or Singapore based
hypervisors, this might clue some people in above and beyond what
PCI-DSS, SAS70, and BITS SA offer.


This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]