Penetration Testing mailing list archives
RE: ISSAF 0.2 release
From: "Omar A. Herrera" <omar.herrera () oissg org>
Date: Mon, 24 Apr 2006 09:04:56 +0100
Hi Stefano,
-----Original Message----- From: Stefano Zanero [mailto:s.zanero () securenetwork it] Omar A. Herrera wrote:We are pleased to announce the release of draft 0.2 of the Information Systems Security Assessment Framework (ISSAF).Just to help me understand, what's the difference between this and the more established OSSTMM ? Stefano
Thanks for pointing this out; It will be useful to clarify this publicly since many others will probably have the same question. For that matter I reproduce below parts of a conversation with John Kinsella involving members of the OISSG and ISECOM. As in that occasion, I invite Pete Herzog and other ISECOM members to post any further clarifications they deem appropriate. I hope this helps to clarify related doubts. Further questions and comments on this matter are most welcomed. Best regards, Omar Herrera Chairman, ISSAF Steering Committee
-----Original Message----- From: John Kinsella [mailto:jlk () thrashyour com] Sent: Tuesday, November 01, 2005 3:59 AM To: Omar A. Herrera Subject: Re: OISSG call for participation Omar - any comments on how you guys compare/compliment/differ to ISECOM? Might want to put that as a FAQ somewhere on the site...We definitely will include this information in a FAQ, thanks for your comment. But for now I'll address the question. ISECOM's OSSTMM is an excellent security testing methodology that focuses mainly on pentesting. It is a mature project whereas ISSAF has not yet reached a stable, for production use, stage. It might seem that wee overlap in some areas, but there are differences that allow ISSAF and OSSTMM to complement each other. In some sense (because of its nature), ISSAF pretends to be broader and more detailed, e.g. we have a section on how to assess AS400 systems, network devices, etc. and we plan to include sections on how to do security assessments for handheld device configuration and smartcards. We try to include as more information as possible, such as detailed examples of testing techniques and some tool outputs. From a less technical point of view, ISSAF will cover things like assessment of patch management, vulnerability management and version control management processes. There are advantages and disadvantages to this approach; the advantage is that you will have something like a security wikipedia with information on how to conduct security assessments for a wide range of processes and systems. However, this implies that it will require frequent updates and a lot of effort to maintain. OSSTMM, being a methodology, will be less affected by obsolescence issues, because you can apply the same methodology to several assessment engagements, using different techniques and tools. On the other hand, ISSAF is a framework and pretends to give you the latest information on techniques, tools, best practices and regulation issues to complement your assessment engagement, whether you use OSSTMM as your assessment methodology or any other. We might work closely with ISECOM in the future as well. We are an open group and are definitely not opposed to that :-). The opinion of Pete Herzog or any other members of ISECOM might also help to clarify things further (I'm CCing Pete and Balwant, because your question is interesting for both ISECOM and the OISSG). But for now, I hope this will answer the question. Kind regards Omar Herrera
------------------------------------------------------------------------------ This List Sponsored by: Cenzic Concerned about Web Application Security? Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request () cenzic com for details. ------------------------------------------------------------------------------
Current thread:
- ISSAF 0.2 release Omar A. Herrera (Apr 19)
- Re: ISSAF 0.2 release Stefano Zanero (Apr 23)
- RE: ISSAF 0.2 release Omar A. Herrera (Apr 24)
- Re: ISSAF 0.2 release Stefano Zanero (Apr 23)