Open Source Security Testing

Pete Herzog, Founder of ISECOM, will be discussing the revised Open Source Security Testing Methodology Manual (OSSTMM v3) and how it applies to web application security today (10-13-2010) in Raleigh, NC.

I’m not sure exactly if this project really qualifies as Open Source – since the license is not specified.  As a methodology and not a piece of software – I would have expected to see a Creative Commons License.

Tag lines aside – the OSSTMM is a peer-reviewed methodology for performing security tests and metrics, and the test cases are divided into five channels (sections) which collectively test: information and data controls, personnel security awareness levels, fraud and social engineering control levels, computer and telecommunications networks, wireless devices, mobile devices, physical security access controls, security processes, and physical locations such as buildings, perimeters, and military bases.

Pete rarely gets to the US, so this is a unique opportunity for security professionals to have an open discussion with him about trust-based security models and how to apply sound logic to securing and testing web application.

Christoph Baumgartner, CEO of OneConsult GmbH in Switzerland – whose firm has been using the OSSTMM methodology since its inception – recently commented on the value proposition the methodology standard offers, stating that, “the most important aspect is that we have an easier time keeping our clients. Most of the companies and organizations which order security audits on a regularly basis are fairly well organized and have a strong interest in gaining and keeping an adequate level of security.”

“Having the attack surface metrics, the ravs, means that they can watch trends and keep a close eye on how changes in operations affect their security directly. I can definitely confirm that many of our clients who have to change the supplier for security policy reasons expect their future suppliers to apply the OSSTMM.”