OSSTMM 2.1 Released

Pete Herzog writes "Once again, we have officially released another OSSTMM! After over a year and a half we have improved the OSSTMM (Open Source Security Testing Methodology Manual)."As we worked on packaging the 2.1 release, we all saw so much more that we wanted to put in. However we decided to put out a strong framework so following releases can come more quickly and more often and we wouldn't have to keep changing the formatting. OSSTMM 2.1 includes a lot of new stuff for those who do or require security testing. I am very happy with the updates to the manual on a whole and it's worth seeing the changes for this incremental upgrade. The following changes are included: readability, document structure, all 6 methodologies have been updated, updated law compliancies and best practices, rules of engagement structure, rules of thumb for security testers and project planning, ISECOM rules of ethics, and RAVs. You can download it directly from www.osstmm.org."

How long does it take to test?

[Eustace Tilley]

Nifty, the authors suggest how to staff and allocate time for a system security test. I liked these:

OSSTMM test rule of thumb:
3 man-weeks for 10 live systems in a class C less than 12 hops over 64k ISDN

• Add an additional 1/2 man hour per live system for every hop over 12.
• More bandwidth will decrease testing time proportionally up to 1Mb.
• Increasing the number of testers will decrease testing time proportionally. Analysis and reporting will become more complicated and take longer with more than 5 testers.

Doing the test is not enough, you need to tell the client what you found:

• 1/2 the time spent testing is needed for reporting.
• The report should be delivered 3 days minimum before the workshop.
• The security testing organization should not outnumber the invited attendees at the workshop with the exception of if there is only 1 attendee then there may be two representatives from the testing organization.
• Of the number of attendees from the security testing organization at a workshop, one should always be the actual tester and one other should always be a commercial (sales) person.

Important Ingredient for FOSS Growth

[4of12]

A lot of individual users of open source might not be very interested in this, but in the grand scheme of things, it's very important.

As Linux and other FOSS becomes more widely known, whether or not companies and institutions choose to deploy it more widely depends critically on efforts like this.

While knowledgeable geeks can dismiss worms and viri to the land of Windows, people in charge of IT have been burned pretty badly by these over the years. Their suspicions of software have been tempered in the

Re:Wrong place!

[Walling]

Like OpenBSD, the OSSTMM is perpetually under development - but it is ready for prime time as is. This methodology manual will be of interest both to people seeking qualified security testers, and the security testers and analysts themselves. My company uses the OSSTMM as a basis for its security testing, and I can say that the value of the OSSTMM is huge. I have been party to developing similar documentation for a very large international corporation. The time and resources they spent could have been g

Involvement

[the_pete]

One thing I would like to see is more involvement in all of ISECOM's projects. Besides the OSSTMM, we need someone to take over the Secure Programming Methodology and I would like some grassroots help for Hacker High School. Maybe HHS is a news item in itself. I also think ISECOM needs to reach new areas like India, Japan, China, and African countries outside the Middle East where we have a decent penetration.