Slashdot Mirror

← Back to Stories (view on slashdot.org)

Open Source Security Testing

Posted by michael on from the an-open-box-is-an-empty-box dept.

dr_labrat writes: "Most penetration testing companies use "proprietary" methodologies to audit their customer's networks. The Open Source Security Testing Methodology Manual (pronounced: Osstum) now gives reputable companies the opportunity to use a peer reviewed standard, and be compared to a wider community! It's just made it to version 2 and is gathering popularity."

7 comments

  1. booooring by Anonymous Coward · · Score: 0

    open source.. bl4h blah 8lah..

  2. Hmm... by 42forty-two42 · · Score: 1

    Can someone provide an overview?

    1. Re:Hmm... by Anonymous Coward · · Score: 0

      Can someone provide an overview?

      Well, you could, if you would read the article.

  3. OSSTMM = Hacker's Manual? by Eppie · · Score: 2, Interesting

    To what degree does open source testing of system vulnerabilities expose those vulnerabilities to hackers that otherwise wouldn't have access to them? After all, it is difficult to probe vulnerabilities without pointing them out. Examining the source and instructions of OSSTMM should be mandatory reading for newbie hackers.

    1. Re:OSSTMM = Hacker's Manual? by Anonymous Coward · · Score: 0

      Hacker manuals say how to do these things, the OSSTMM only says what should be tested and not how. If you read it you'd see that.

  4. From the "About" page by Anonymous Coward · · Score: 0

    This manual is to set forth a standard for Internet security testing. Disregarding the credentials of many a security tester and focusing on the how, I present a solution to a problem which exists currently. Regardless of firm size, finance capital, and vendor backing, any network or security expert who meets the outline requirements in this manual is said to have completed a successful security snapshot. Not to say one cannot perform a test faster, more in depth, or of a different flavor. No, the tester following the methodology herein is said to have followed the standard model and therefore if nothing else, has been thorough.

    I say security snapshot above because I believe an Internet security test is no more than a view of a system at a single moment in time. At that time, the known vulnerabilities, the known weaknesses, the known system configurations has not changed within that minute and therefore is said to be a snapshot. But is this snapshot enough?

    The methodology proposed herein will provide more than a snapshot if followed correctly with no short-cuts and except for known vulnerabilities in an operating system or application, the snapshot will be a scattershot-- encompassing perhaps a few weeks rather than a moment in time.

    I have asked myself often if it is worth having a central standard for security testing. As I began to write down the exact sequence of my testing to share synchronously the active work of a penetration test, it became clear that what I was doing is not that unique. All security testers follow one methodology or another. But are all methodologies good?

    All security information I found on the Internet regarding a methodology was either bland or secret. "We use a unique, in-house developed methodology and scanning tools...." This was a phrase found often. I remember once giving the advice to a CIO that if a security tester tells you his tools include ISS, Cybercop, and "proprietary, in-house developed tools" you can be sure he mainly uses ISS and Cybercop. That's not to say many don't have proprietary tools. I worked for IBM as an ethical hacker. They had the Network Security Auditor (NSA) which they now include in their firewall package. It was a good, proprietary tool with some nice reporting functions. Was it better than ISS or Cybercop? I couldn't say since we also used ISS to revalidate the NSA tests. This is due to the difficulty of keeping a vulnerability scanner up-to-date.

    I feel it is valid to be able to ask companies if they meet a certain standard. I would be thrilled if they went above the standard. I would also know that the standard is what they charge a certain price for and that I am not just getting a port scan to 10,000 ports and a check of 4,800 vulnerabilities. Especially since most of which only apply to a certain OS or application. I'd like to see vulnerability scanners break down that number by OS and application. I know if I go into Bugtraq (the only true vulnerability checking is research on BT) that I will be able to find all the known vulnerabilities by OS and application. If the scanner checks for 50 Redhat holes in a certain flavor and 5 Microsoft NT holes and I'm an NT shop; I think I may try a different scanner.

    So following an open-source, standardized methodology that anyone and everyone can open and dissect and add to and complain about is the most valuable contribution we can make to Internet security. And if you need to know why you should recognize it and admit it exists whether or not you follow it to the letter is because you, your colleagues, and your fellow professionals have helped design it and write it. Supporting an open-source methodology is not a problem of making you equal with all the other security testers-- it's matter of showing you are just as good as all the other security testers. The rest is about firm size, finance capital, and vendor backing.

    Download the Manual