From: listbounce () securityfocus com
[mailto:listbounce () securityfocus com] On Behalf Of Pete Herzog
Sent: woensdag 8 september 2010 23:19
To: Wim Remes
Cc: Ulisses Castro; p0wnsauc3 () googlemail com; TAS; Kurt M. John; pen-
test () securityfocus com
Subject: Re: Pentest Criteria
can you explain how exactly an ISO committee is reviewing a "written
manual" that does not exist yet ? And do you believe more in the
feedback from an ISO committee than from a community
that is working on security in the trenches every single day ?
You misunderstand. ISO isn't reviewing the OSSTMM 3 to better the
OSSTMM- they are doing it to see how it fits in the ISO family. The
PEER REVIEW of the OSSTMM happens by anyone who can and will review
it. We put out calls for reviewers and people show up to review it.
Most people never respond back but some do and we go on from there.
Some of the best reviews though come from people who just take that
which we put out there and start asking questions about it.
The written part is a draft. Just like code that doesn't work, it's
just ideas and concepts that's getting put together. The hardest part
is putting all the ideas and concepts together so they make sense. So
we can publish parts, and we have, but we don't have a whole. It's the
equivalent of non-functional code. But just so you know we've also
provided the OSSTMM 3 draft in parts to university students working on
thesis, NIST, the German government's BSI, the Italian government, a
few other government offices that I don't remember anymore and many
contributors and reviewers from around the world.
Again, would you be happier if we published nothing at all until each
full version is complete?
On another note, OSSTMM 2.2 is even no longer hosted on the ISECOM
website. Does it suck THAT hard ?
We don't host it because we could no longer support it. After many
requests regarding updates for 2.2 we realized we had to remove it as
a direct link off our site to show that we are working on something
new. But it's still there. We still carry it in our mirrors. See:
It's not gone from public use. It's just no longer updated by ISECOM.
We can't support it and work on 3.0.
Look, people engaged in using 2.2 because it was good, it was
relevant and it was open. They could refer their customers to an open
standard, life was good. Companies invested themselves
in using 2.2 because it was worth something. Then came the promise
of 3 and companies invested themselves into a paywalled document
trusting that, by what they saw from 2.2, would kick ass.
They got people trained on a subset of an unexisting manual at full
price , they got people contributing to 3 (how many and how much is
only known by you) believing one day the sowing would end
and the reaping could start. More importantly, they believed YOU that
3 would make everything about security different. They trusted YOU.
People used 2.2 because that's what there was. When we realized that
it was too broken to advance and required a new re-write, we did that.
We tried to carry 2.2 as long as we could but sometime in 2008 we had
to stop supporting it. The new material just did not fit with the old
The companies who invested in 3.0 are fine for doing so. It's a living
breathing project that's growing. They are learning new and better
concepts for having invested in it. Many of these companies are also
contributors and sponsors so they have versions of the draft they can
show their clients.
What is it you don't get ?
I don't get your anger. Nobody said the OSSTMM is dead or was going
away. If anything, we've been showing more and more each day that it's
alive and we're working on it.
Listen, I do think OSSTMM 3 will make security different and better. I
know it's better. I don't think anyone is let down by it. But I can
tell you that responding to faulty accusations on mailing lists won't
make it happen any faster.
Pete Herzog - Managing Director - pete () isecom org
ISECOM - Institute for Security and Open Methodologies
www.isecom.org - www.osstmm.org
www.hackerhighschool.org - www.badpeopleproject.org
This list is sponsored by: Information Assurance Certification Review
Prove to peers and potential employers without a doubt that you can
actually do a proper penetration test. IACRB CPT and CEPT certs require
a full practical examination in order to become certified.