Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: Pentest Criteria
From: Pete Herzog <lists () isecom org>
Date: Wed, 08 Sep 2010 13:23:42 +0200

Wim,

Your opinion is duly respected. I doubt I can say anything to you which I haven't said before. OSSTMM 3 is not done. It's been a lot of work. It's close to being done. Even I don't have a finished version. I'm sorry.

But you know I disagree with you about open source. The OSSTMM is "open source" because it doesn't hide the method inside some tool or checklist. All concepts, ideas, processes, formulas and methods are openly explained and always have been. The fact that it's not finished and therefore not available for public release yet does not affect if it's open source. As for the people who invested in learning the OSSTMM and applying it in business, including training, they have all gotten newer, better security knowledge out of the process than all that other garbage that calls itself security out there. So I don't see the loss there. The fact that the manual itself is not done does not mean we cannot start helping people with what we know already. We already published multiple things on the trust metrics, the ravs, the rav formula, a rav calculation sheet, the STAR for businesses who want to make OSSTMM 3 tests already, and even the chapter which teaches people the framework for a valid, accurate, and useful security test. But maybe you missed all that.

So is it really so bad then we ask that people who need it or use it but can't work on it to subscribe? If you work on it (or any ISECOM project), we'll get you the OSSTMM 3 draft sooner. If you don't want to work on it then you wait until it's done. I don't think I'm the only one who finds that to be fair.

But I've told you all that before. The truth is that ISECOM wants to get the OSSTMM 3 done and publish it openly and freely. We have much more to gain from getting the OSSTMM 3 available to the public than not. So it is our intention to do so and we will do it as soon as we can.

Sincerely,
-pete.

--
Pete Herzog - Managing Director - pete () isecom org
ISECOM - Institute for Security and Open Methodologies
www.isecom.org - www.osstmm.org
www.hackerhighschool.org - www.badpeopleproject.org



On 9/8/2010 7:29 AM, Wim Remes wrote:
Pete,

with all due respect but don't you think you have abused the open source predicament long enough for something that 
will never be open nor free?
I know companies that got involved with v2, that invested in getting resources trained in v3, or the subset of it that 
was available at the moment of the trianing, and now have the
outlook that they'll be pointing their customers to another ISO standard instead of an open source standard and.

At the moment OSSTMM 3 does nothing but frustrate the heck out of people who invested time in either v2 or v3 based on 
idealism and empty promises.

Cheers,
Wim

On 05 Sep 2010, at 20:36, Pete Herzog wrote:

What if a client wants criteria reported as well. I'm not sure if there
is one I can use without running the risk of it being too far removed.
Is there a frame work or best practice which lends itself to pentests?
Or do I have to try to layer NIST on top of it

Thoughts?

OSSTMM 3 does exactly that. Currently it's being reviewed to either include in the ISO27000 series or be its own ISO. 
It has operational security metrics which allow you to rate vulnerabilities on what they do and it works very very well for 
pen test.

Sincerely,
-pete.

--
Pete Herzog - Managing Director - pete () isecom org
ISECOM - Institute for Security and Open Methodologies
www.isecom.org - www.osstmm.org
www.hackerhighschool.org - www.badpeopleproject.org

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.
http://www.iacertification.org
------------------------------------------------------------------------








------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
http://www.iacertification.org
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]