Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

better late than never.... (was Re: Penetration testing scope/outline)

From: Pete Herzog <pete () isecom org>
Date: Mon, 11 Oct 2004 13:03:51 +0200
Anders and others,
I have asked repeatedly for this kind of criticism to improve the OSSTMM documentation and this is exactly what I needed over a year ago (albeit more detail would be better). So better late than never.
It is this kind of discussion that improves the document. Thanks for your specific comments. It lets me know that I'm on the right track. And yes, 3.0 does fix the problems you mention.
I am careful with the pen testing / ethical hacking definitions as in the international business arena, those applied definitions change greatly. However, I do assure their implementation in the manual. OSSTMM 3.0 has evolved even more to be a methodology for thorough security testing and metrics where I focus on factual security metrics as a whole and allow for the manual to be taken in part for penetration testing and ethical hacking. I do identify the requirements of such and explain when a penetration test may be useful, even if I do find the penetration test to be of business value only under very limited circumstances. Note to flamers: I did say "business value" and will clearly explain the reasons for this at the ISESTORM symposium next Saturday (Oct. 18th) and post them on the ISECOM website upon my return.
I also try to completely withdraw the requirement of experience from following the test methodology as I find it to be a danger in most cases. It has been determined that a high level of experience is necessary for analysis but not for testing because it leads to false assumptions and unverified results. This has also led me to develop a more useable methodology where it can even be adapted for non-technical people requiring access to factual security metrics (already integrated in that format for the SecurityNOW! tool http://www.isecom.org/securitymetrics.shtml) and I have seen it has been integrated into the UnicornScan results (http://www.unicornscan.org). This is not to say the methodology is not as technical as always. Actually, it has followed technology quite well. However it just is more useable since it can be adapted into less technical formats. 

Sincerely,
-pete.

--
Pete Herzog - Managing Director - pete () isecom org
ISECOM - Institute for Security and Open Methodologies
www.isecom.org - www.osstmm.org
www.hackerhighschool.org - www.isestorm.org
-------------------------------------------------------------------
ISECOM is the OSSTMM Professional Security Tester (OPST),
OSSTMM Professional Security Analyst (OPSA), and Hacker Highschool
Teacher certification authority.

------------------------------------------------------------------------------
Internet Security Systems. - Keeping You Ahead of the Threat
When business losses are measured in seconds, Internet threats must be stopped before they impact your network. To learn how Internet Security Systems keeps organizations ahead of the threat with preemptive intrusion prevention, download the new whitepaper, Defining the Rules of Preemptive Protection, and end your reliance on reactive security technology. 
http://www.securityfocus.com/sponsor/ISS_pen-test_041001
-------------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: