RE: ISSAF 0.2 release

["Omar A. Herrera" <omar.herrera () oissg org>]

Hi Stefano,

> -----Original Message-----
> From: Stefano Zanero [mailto:s.zanero () securenetwork it]
>
> Omar A. Herrera wrote:
> > We are pleased to announce the release of draft 0.2 of the Information
> > Systems Security Assessment Framework (ISSAF).
>
> Just to help me understand, what's the difference between this and the
> more established OSSTMM ?
>
> Stefano

Thanks for pointing this out; It will be useful to clarify this publicly
since many others will probably have the same question. For that matter I
reproduce below parts of a conversation with John Kinsella involving members
of the OISSG and ISECOM. 

As in that occasion, I invite Pete Herzog and other ISECOM members to post
any further clarifications they deem appropriate.

I hope this helps to clarify related doubts. Further questions and comments
on this matter are most welcomed.

Best regards,

Omar Herrera
Chairman, ISSAF Steering Committee


> > -----Original Message-----
> > From: John Kinsella [mailto:jlk () thrashyour com]
> > Sent: Tuesday, November 01, 2005 3:59 AM
> > To: Omar A. Herrera
> > Subject: Re: OISSG call for participation
> >
> > Omar - any comments on how you guys compare/compliment/differ to 
> > ISECOM?
> > Might want to put that as a FAQ somewhere on the site...
>
> We definitely will include this information in a FAQ, thanks for 
> your comment. But for now I'll address the question.
>
> ISECOM's OSSTMM is an excellent security testing methodology that 
> focuses mainly on pentesting. It is a mature project whereas ISSAF 
> has not yet reached a stable, for production use, stage.
>
> It might seem that wee overlap in some areas, but there are 
> differences that allow ISSAF and OSSTMM to complement each other.
>
> In some sense (because of its nature), ISSAF pretends to be broader 
> and more detailed, e.g. we have a section on how to assess AS400 
> systems, network devices, etc. and we plan to include sections on 
> how to do security assessments for handheld device configuration and 
> smartcards. We try to include as more information as possible, such 
> as detailed examples of testing techniques and some tool outputs.
> From a less technical point of view, ISSAF will cover things like 
> assessment of patch management, vulnerability management and version 
> control management processes.
>
> There are advantages and disadvantages to this approach; the 
> advantage is that you will have something like a security wikipedia 
> with information on how to conduct security assessments for a wide 
> range of processes and systems. However, this implies that it will 
> require frequent updates and a lot of effort to maintain.
>
> OSSTMM, being a methodology, will be less affected by obsolescence 
> issues, because you can apply the same methodology to several 
> assessment engagements, using different techniques and tools. On the 
> other hand, ISSAF is a framework and pretends to give you the latest 
> information on techniques, tools, best practices and regulation 
> issues to complement your assessment engagement, whether you use 
> OSSTMM as your assessment methodology or any other.
>
> We might work closely with ISECOM in the future as well. We are an 
> open group and are definitely not opposed to that :-).
>
> The opinion of Pete Herzog or any other members of ISECOM might also 
> help to clarify things further (I'm CCing Pete and Balwant, because 
> your question is interesting for both ISECOM and the OISSG). But for 
> now, I hope this will answer the question.
>
> Kind regards
> Omar Herrera



------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security? 
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's 
Choice Award from eWeek. As attacks through web applications continue to rise, 
you need to proactively protect your applications from hackers. Cenzic has the 
most comprehensive solutions to meet your application security penetration 
testing and vulnerability management needs. You have an option to go with a 
managed service (Cenzic ClickToSecure) or an enterprise software 
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can 
help you: http://www.cenzic.com/news_events/wpappsec.php 
And, now for a limited time we can do a FREE audit for you to confirm your 
results from other product. Contact us at request () cenzic com for details.
------------------------------------------------------------------------------