Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: Pentest Criteria
From: "Kurt M. John" <kurt.md.john () gmail com>
Date: Thu, 09 Sep 2010 09:32:03 -0400

Actually I just went ahead and layered NIST on top of my findings
because I got a little lost in the back and forth but thanks for
pointing that out Jeff

Kurt M. John, CISA, C|EH, CPT
http://www.applisoft.net



-----Original Message-----
From: Jeffrey Singleton <jeff () hackdefendr com>
To: lists () isecom org
Cc: Wim Remes <wremes () gmail com>, Ulisses Castro <uss.thebug () gmail com>,
p0wnsauc3 () googlemail com, TAS <p0wnsauc3 () gmail com>, Kurt M. John
<kurt.md.john () gmail com>, pen-test () securityfocus com
Subject: Re: Pentest Criteria
Date: Wed, 8 Sep 2010 22:25:20 -0400

Kurt

Did all this ridiculous bickering answer your question?

No disrespect to Pete or Wim ... but you hijacked Kurt's thread and
owe him an apology and an answer to his question(s).

-- 
Jeff

On Wed, Sep 8, 2010 at 5:18 PM, Pete Herzog <lists () isecom org> wrote:
Wim,

can you explain how exactly an ISO committee is reviewing a "written
manual" that does not exist yet ? And do you believe more in the feedback
from an ISO committee than from a community
that is working on security in the trenches every single day ?

You misunderstand. ISO isn't reviewing the OSSTMM 3 to better the OSSTMM-
they are doing it to see how it fits in the ISO family. The PEER REVIEW of
the OSSTMM happens by anyone who can and will review it. We put out calls
for reviewers and people show up to review it. Most people never respond
back but some do and we go on from there. Some of the best reviews though
come from people who just take that which we put out there and start asking
questions about it.

The written part is a draft. Just like code that doesn't work, it's just
ideas and concepts that's getting put together. The hardest part is putting
all the ideas and concepts together so they make sense. So we can publish
parts, and we have, but we don't have a whole. It's the equivalent of
non-functional code. But just so you know we've also provided the OSSTMM 3
draft in parts to university students working on thesis, NIST, the German
government's BSI, the Italian government, a few other government offices
that I don't remember anymore and many contributors and reviewers from
around the world.

Again, would you be happier if we published nothing at all until each full
version is complete?


On another note, OSSTMM 2.2 is even no longer hosted on the ISECOM
website. Does it suck THAT hard ?

We don't host it because we could no longer support it. After many requests
regarding updates for 2.2 we realized we had to remove it as a direct link
off our site to show that we are working on something new. But it's still
there. We still carry it in our mirrors. See:
http://isecom.securenetltd.com/osstmm.en.2.2.pdf

It's not gone from public use. It's just no longer updated by ISECOM. We
can't support it and work on 3.0.


Look, people engaged in using 2.2 because it was good, it was relevant and
it was open.  They could refer their customers to an open standard, life was
good. Companies invested themselves
in using 2.2 because it was worth something.  Then came the promise of 3
and companies invested themselves into a paywalled document trusting that,
by what they saw from 2.2, would kick ass.
They got people trained on a subset of an unexisting manual at full price
, they got people contributing to 3 (how many and how much is only known by
you) believing one day the sowing would end
and the reaping could start. More importantly, they believed YOU that 3
would make everything about security different. They trusted YOU.

People used 2.2 because that's what there was. When we realized that it was
too broken to advance and required a new re-write, we did that. We tried to
carry 2.2 as long as we could but sometime in 2008 we had to stop supporting
it. The new material just did not fit with the old concepts.

The companies who invested in 3.0 are fine for doing so. It's a living
breathing project that's growing. They are learning new and better concepts
for having invested in it. Many of these companies are also contributors and
sponsors so they have versions of the draft they can show their clients.


What is it you don't get ?

I don't get your anger. Nobody said the OSSTMM is dead or was going away. If
anything, we've been showing more and more each day that it's alive and
we're working on it.

Listen, I do think OSSTMM 3 will make security different and better. I know
it's better. I don't think anyone is let down by it. But I can tell you that
responding to faulty accusations on mailing lists won't make it happen any
faster.

-pete.

--
Pete Herzog - Managing Director - pete () isecom org
ISECOM - Institute for Security and Open Methodologies
www.isecom.org - www.osstmm.org
www.hackerhighschool.org - www.badpeopleproject.org

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually
do a proper penetration test. IACRB CPT and CEPT certs require a full
practical examination in order to become certified.
http://www.iacertification.org
------------------------------------------------------------------------




------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]