Slashdot Mirror

← Back to Stories (view on slashdot.org)

OSSTMM 2.1 Released

Posted by Hemos on from the learn-how-to-do-more dept.

Pete Herzog writes "Once again, we have officially released another OSSTMM! After over a year and a half we have improved the OSSTMM (Open Source Security Testing Methodology Manual)."As we worked on packaging the 2.1 release, we all saw so much more that we wanted to put in. However we decided to put out a strong framework so following releases can come more quickly and more often and we wouldn't have to keep changing the formatting. OSSTMM 2.1 includes a lot of new stuff for those who do or require security testing. I am very happy with the updates to the manual on a whole and it's worth seeing the changes for this incremental upgrade. The following changes are included: readability, document structure, all 6 methodologies have been updated, updated law compliancies and best practices, rules of engagement structure, rules of thumb for security testers and project planning, ISECOM rules of ethics, and RAVs. You can download it directly from www.osstmm.org."

1 of 10 comments (clear)

  1. How long does it take to test? by Eustace+Tilley · · Score: 2, Interesting
    Nifty, the authors suggest how to staff and allocate time for a system security test. I liked these:
    OSSTMM test rule of thumb:
    3 man-weeks for 10 live systems in a class C less than 12 hops over 64k ISDN
    • Add an additional 1/2 man hour per live system for every hop over 12.
    • More bandwidth will decrease testing time proportionally up to 1Mb.
    • Increasing the number of testers will decrease testing time proportionally. Analysis and reporting will become more complicated and take longer with more than 5 testers.
    Doing the test is not enough, you need to tell the client what you found:
    • 1/2 the time spent testing is needed for reporting.
    • The report should be delivered 3 days minimum before the workshop.
    • The security testing organization should not outnumber the invited attendees at the workshop with the exception of if there is only 1 attendee then there may be two representatives from the testing organization.
    • Of the number of attendees from the security testing organization at a workshop, one should always be the actual tester and one other should always be a commercial (sales) person.