Penetration Testing mailing list archives
RE: OSSTMM how good is it?
From: "Steve Armstrong" <stevearmstrong () logicallysecure com>
Date: Tue, 16 May 2006 13:01:12 +0100
Rik I believe the OSSTMM is a good framework, in an industry with few public standards. As to its resected nature, I cannot answer that however, I point to fact it is probably one of the few standards the customer can get for themselves and read. Thereby showing your practices and procedures are open to scrutiny (if required) and your testing should be all encompassing and thus reducing his risk of future unknown security issues. It is good because it challenges the perception that many IT Security Testing Companies will agree to testing without publishing the depth and vigour to which they will undertake that testing. Many just come and do 'stuff' and give you a report and an invoice. Please note I am not disrespecting these companies, I am perhaps oversimplifying the controls that place on releasing what they actually do - usually for fear of competition. However, you state you are undertaking IS1&3 but not 2 why is that. And given the nature of IS1&3 why are you using CRAMM? Finally, are you looking to use the OSSTMM as in internal testing standard or one to level contracts against? I ask because your questioning alludes to a non technical level of expertise but you are discussing a methodology to undertake technical testing. Steve A Reader and user of IS1-5 but NOT CRAMM User of OSSTMM --------------------------------------------------- UK IT Security Forum - www.logicallysecure.com/forum ------------------------------------------------------------------------ -------------------------- -----Original Message----- From: rik kershaw-moore [mailto:rkm () tsiolkovsky co uk] Sent: 16 May 2006 06:47 To: pen-test () securityfocus com Subject: OSSTMM how good is it? Can I ask what people think of the OSST and the Methodology laid down in the OSSTM Manual? Another question, especially for those UK residents - how well respected is the OSST Methodology? I am thinking of including this in our standard internal dest practice set. We aleady use the HMG InfoSec Standards 1 & 3 and CRAMM for Risk Assessment, the ITIL Security Model for Security Change & Incident Management but we are currently lacking when it comes to a decent Testing Standard. Yours, Rik Kershaw-Moore, ITPC-HMG.. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ------------------------------------------------------------------------ ------ This List Sponsored by: Cenzic Concerned about Web Application Security? Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request () cenzic com for details. ------------------------------------------------------------------------ ------ ------------------------------------------------------------------------------ This List Sponsored by: Cenzic Concerned about Web Application Security? Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request () cenzic com for details. ------------------------------------------------------------------------------
Current thread:
- RE: OSSTMM how good is it? Steve Armstrong (May 16)
- Re: OSSTMM how good is it? rik kershaw-moore (May 17)
- <Possible follow-ups>
- Re: OSSTMM how good is it? baumgartner (May 16)
- Re: RE: OSSTMM how good is it? mythoughts (May 17)
- Re: RE: OSSTMM how good is it? offset (May 18)
- Re: RE: OSSTMM how good is it? T . Dudek (May 31)
- Re: RE: OSSTMM how good is it? offset (May 18)
- Re: RE: OSSTMM how good is it? stevearmstrong (May 18)