Slashdot Mirror

← Back to Stories (view on slashdot.org)

OSSTMM 2.1 Released

Posted by Hemos on from the learn-how-to-do-more dept.

Pete Herzog writes "Once again, we have officially released another OSSTMM! After over a year and a half we have improved the OSSTMM (Open Source Security Testing Methodology Manual)."As we worked on packaging the 2.1 release, we all saw so much more that we wanted to put in. However we decided to put out a strong framework so following releases can come more quickly and more often and we wouldn't have to keep changing the formatting. OSSTMM 2.1 includes a lot of new stuff for those who do or require security testing. I am very happy with the updates to the manual on a whole and it's worth seeing the changes for this incremental upgrade. The following changes are included: readability, document structure, all 6 methodologies have been updated, updated law compliancies and best practices, rules of engagement structure, rules of thumb for security testers and project planning, ISECOM rules of ethics, and RAVs. You can download it directly from www.osstmm.org."

10 comments

  1. How long does it take to test? by Eustace+Tilley · · Score: 2, Interesting
    Nifty, the authors suggest how to staff and allocate time for a system security test. I liked these:
    OSSTMM test rule of thumb:
    3 man-weeks for 10 live systems in a class C less than 12 hops over 64k ISDN
    • Add an additional 1/2 man hour per live system for every hop over 12.
    • More bandwidth will decrease testing time proportionally up to 1Mb.
    • Increasing the number of testers will decrease testing time proportionally. Analysis and reporting will become more complicated and take longer with more than 5 testers.
    Doing the test is not enough, you need to tell the client what you found:
    • 1/2 the time spent testing is needed for reporting.
    • The report should be delivered 3 days minimum before the workshop.
    • The security testing organization should not outnumber the invited attendees at the workshop with the exception of if there is only 1 attendee then there may be two representatives from the testing organization.
    • Of the number of attendees from the security testing organization at a workshop, one should always be the actual tester and one other should always be a commercial (sales) person.
  2. Important Ingredient for FOSS Growth by 4of12 · · Score: 1

    A lot of individual users of open source might not be very interested in this, but in the grand scheme of things, it's very important.

    As Linux and other FOSS becomes more widely known, whether or not companies and institutions choose to deploy it more widely depends critically on efforts like this.

    While knowledgeable geeks can dismiss worms and viri to the land of Windows, people in charge of IT have been burned pretty badly by these over the years. Their suspicions of software have been tempered in the fire of what's been happening - before they deploy something new and better, they want to see more than anecdotal evidence about security, and having a process in place for security checking is an essential ingredient (much like the certifications that IBM and SuSE have recently obtained.).

    Yes, a knowledgeable and thoroughly trained sysadmin ought to be able to secure his boxes and right from wrong. But CIO's feel better when their company's security is backed up by compliance with standards and processes and not just by a gut hunchy that their sysadmin is "rock solid".

    --
    "Provided by the management for your protection."
  3. Certification in Mexico by luissol · · Score: 0, Troll

    Hi, I work for GCP Global in Mexico, GCP Global is a security firm which greatly supports the Open Source Movement. I think this is a wonderful achievement for Open Source, it really means breaking the barrier of legacy tools with even greater coverage to increase security levels in any kind of organization. If you're interested about getting certified in my country you cand find all the details at http://www.gcpglobal.com

  4. Great move!!!! by Anonymous Coward · · Score: 0

    Kudos for isecom

    1. Re:Great move!!!! by Anonymous Coward · · Score: 0

      I also agree with you

      It's really important that such a move is directed towards security analysts, maybe companies like Red Hat, Suse, Mandrake, etc must include this!!!!

  5. Wrong place! by Anonymous Coward · · Score: 0

    Maybe this should be in the main list

    1. Re:Wrong place! by Anonymous Coward · · Score: 0

      Definitevely this must be in the main list

    2. Re:Wrong place! by Walling · · Score: 1

      Like OpenBSD, the OSSTMM is perpetually under development - but it is ready for prime time as is. This methodology manual will be of interest both to people seeking qualified security testers, and the security testers and analysts themselves. My company uses the OSSTMM as a basis for its security testing, and I can say that the value of the OSSTMM is huge. I have been party to developing similar documentation for a very large international corporation. The time and resources they spent could have been greatly reduced had they embraced the OSSTMM. ++Walling++

  6. Involvement by the_pete · · Score: 1

    One thing I would like to see is more involvement in all of ISECOM's projects. Besides the OSSTMM, we need someone to take over the Secure Programming Methodology and I would like some grassroots help for Hacker High School. Maybe HHS is a news item in itself. I also think ISECOM needs to reach new areas like India, Japan, China, and African countries outside the Middle East where we have a decent penetration.