Home page logo

pen-test logo Penetration Testing mailing list archives

Re: Pentest Criteria
From: Wim Remes <wremes () gmail com>
Date: Wed, 8 Sep 2010 21:54:03 +0200


"OSSTMM 3 does exactly that. Currently it's being reviewed to either 
include in the ISO27000 series or be its own ISO."


"the "written manual" OSSTMM 3 does not exist yet.
 It is merely a book still being written. "
"it's merely a concept."

can you explain how exactly an ISO committee is reviewing a "written manual" that does not exist yet ? And do you 
believe more in the feedback from an ISO committee than from a community
that is working on security in the trenches every single day ?

On another note, OSSTMM 2.2 is even no longer hosted on the ISECOM website. Does it suck THAT hard ?

Look, people engaged in using 2.2 because it was good, it was relevant and it was open.  They could refer their 
customers to an open standard, life was good. Companies invested themselves
in using 2.2 because it was worth something.  Then came the promise of 3 and companies invested themselves into a 
paywalled document trusting that, by what they saw from 2.2, would kick ass.
They got people trained on a subset of an unexisting manual at full price , they got people contributing to 3 (how many 
and how much is only known by you) believing one day the sowing would end
and the reaping could start. More importantly, they believed YOU that 3 would make everything about security different. 
They trusted YOU.

What is it you don't get ?
And more importantly, which anti-virus do you run ?



On 08 Sep 2010, at 21:02, Pete Herzog wrote:


On 9/8/2010 7:18 PM, Ulisses Castro wrote:
Pete, why did you insist saying that is "Open Source"?

Because it is. For one, OSSTMM 2.2 is there, free and available around the world. I can Google for it and it's there 
and always has been. Anybody can take it and read it and use it and distribute it.

Where I think you get confused is with OSSTMM 3. So I'll make this a bit clearer for you- as far as the world is 
concerned, the "written manual" OSSTMM 3 does not exist yet. It is merely a book still being written. Much like 
partially written, nonworking code on the desktop of a programmer's bench, until that code is provided to the world, 
no license nor stipulation is necessary. Sure some of the people the programmer knows and discusses coding stuff with 
might see it and help but it's not done enough yet to do anything with. It's merely a concept.

Now where I think you really get even more confused is that we make the ideas of the OSSTMM 3 available to some. Yes 
it's an idea that we share openly among those who choose to help us build this object. We even choose to share our 
ideas with those who don't work on it but they need to then pay to come see it.

Once OSSTMM 3 is released, it will carry the CC attribution-noderivs license. So it will be free to use, read, and 
distribute same as OSSTMM 2.2. The no-derivs because it's applied as a standard and there shouldn't be multiple 
versions of the same standard. That would just be confusing.

One other point of note- the OSSTMM contains no Source Code. So the "source" which is open, is the methodology, the 
algorithms, and the work process-- all of which have already been released for some time and constantly updated to 
reflect changes in the OSSTMM 3's development. Go ahead and look. It's there. Check osstmm.org and isecom.org/ravs. 
Also check isecom.org/scare and isecom.org/hsm which explain the OSSTMM 3 research as applied to other useful areas. 
Also check our news page as well and get presentations which explain the methods step by step as well. Maybe you knew 
of this though and that's what you refer to that as the "marketing shit". We put it out there for feedback. Some of 
the feedback we got on Mastering Trust (how to apply the new trust metrics) into the written OSSTMM 3 manual and we 
added those people as contributors. For me that's open source. I published a piece of source (a method) and we got 
feedback to improve it. The method got updated. How is that different from publishing unfinished, unworking source 
code for feedback and comments?

I'm sorry but I can't give you a written manual because it's NOT Done yet. So if you're saying it's really still not 
open source as you know it the would you prefer we release nothing and say nothing until the written manual for each 
version is completely done?


Pete Herzog - Managing Director - pete () isecom org
ISECOM - Institute for Security and Open Methodologies
www.isecom.org - www.osstmm.org
www.hackerhighschool.org - www.badpeopleproject.org

This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]