Penetration Testing mailing list archives
RE: Pentesting Methodology/Framework
From: "Cor Rosielle" <cor () outpost24 com>
Date: Wed, 10 Nov 2010 09:26:11 +0100
Kurt, I assume you meant ISSAF (Information Systems Security Assessment Framework) and not ISSF (I couldn't find that one). I am not familiar with ISSAF, but do know the OSSTMM quite well. I visited the ISSAF website and the first two pages I read already demonstrated differences with the OSSTMM. 1 - at http://www.oissg.org/ it says ISSAF's objective is to: "Evaluate the organizations information security policies & processes to report on their compliance ..." 2 - the penetration test methodology is the "traditional" approach described in outdated books about hacking and focuses on gaining access, privilege escalation, maintaining access, covering tracks, etc. (http://www.oissg.org/wiki/index.php?title=PENETRATION_TESTING_METHODOLOGY) Ad. 1. When you are compliant, that doesn't mean you are safe and secure. It just means that you follow some minimum standards. But if you focus on security and safety, most of the time you are compliant as well. Compliancy is useful for companies and organizations who can not or don't want to think for themselves, because it provides a minimum amount of security controls. Ad. 2. Suppose it was not possible to gain access during a penetration test. Does that mean you are safe and secure? No, it doesn't. It only tells you it was not possible to gain access under the circumstances of the test (at a specific time, within the time available for testing etc.). Take for example DLL-hijacking. It is known for 10 years or more that the vulnerability existed. There just was no exploit for it. A few months ago H.D. Moore published the exploit and suddenly it rained "new" vulnerabilities in lots of products. The OSSTMM approach is different. One important thing is critical thinking. Don't just copy a control that proved to work for another company under other circumstances at another time, but think about what would be good for your company now. Another thing is it focuses on operational security. This means you don't just check if https is used, but also the web service is configured right to use SSL in a secure manner. Even if no access is gained, you still can make a statement about the safety controls that were recognized, the flaws found in the controls, how they balance and reach a conclusion about the safety of the target. Now don't get me wrong. I am not telling ISSAF is worthless. I don't know it good enough to make such a statement and I do believe there are organizations and circumstances where ISSAF can increase security. I just think the OSSTMM is a better approach. It would be interesting to hear the opinion of an ISSAF expert (or even an ISSAF evangelist). Met vriendelijke groet, Kind regards, Cor Rosielle Outpost24 / Lab106 PS If someone just want to flame me because of my opinion, try control yourself. It doesn't add value to the discussion. I won't respond to flame messages and delete the message just as easy as others do.
-----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Kurt M.D. John Sent: dinsdag 9 november 2010 2:48 To: pen-test () securityfocus com Cc: cgray () tcba com; sarthur () tcba com Subject: Pentesting Methodology/Framework Hey guys, What are your thoughts on Information System Security Framework (ISSF) vs. Open Source Security Testing Methodology Manual (OSSTMM)? Thanks, Kurt M. D. John, CISA, C|EH, CPT ----------------------------------------------------------------------- - This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ----------------------------------------------------------------------- -
------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Pentesting Methodology/Framework Kurt M.D. John (Nov 08)
- RE: Pentesting Methodology/Framework Cor Rosielle (Nov 12)
- Re: Pentesting Methodology/Framework Dan Crowley (Nov 12)