Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Pentesting Methodology/Framework

From: "Cor Rosielle" <cor () outpost24 com>
Date: Wed, 10 Nov 2010 09:26:11 +0100
Kurt,

I assume you meant ISSAF (Information Systems Security Assessment Framework)
and not ISSF (I couldn't find that one).

I am not familiar with ISSAF, but do know the OSSTMM quite well. 
I visited the ISSAF website and the first two pages I read already
demonstrated differences with the OSSTMM.
1 - at http://www.oissg.org/ it says ISSAF's objective is to: "Evaluate the
organizations information security policies & processes to report on their
compliance ..."
2 - the penetration test methodology is the "traditional" approach described
in outdated books about hacking and focuses on gaining access, privilege
escalation, maintaining access, covering tracks, etc.
(http://www.oissg.org/wiki/index.php?title=PENETRATION_TESTING_METHODOLOGY)


Ad. 1.
When you are compliant, that doesn't mean you are safe and secure. It just
means that you follow some minimum standards. But if you focus on security
and safety, most of the time you are compliant as well. Compliancy is useful
for companies and organizations who can not or don't want to think for
themselves, because it provides a minimum amount of security controls.

Ad. 2.
Suppose it was not possible to gain access during a penetration test. Does
that mean you are safe and secure? No, it doesn't. It only tells you it was
not possible to gain access under the circumstances of the test (at a
specific time, within the time available for testing etc.). Take for example
DLL-hijacking. It is known for 10 years or more that the vulnerability
existed. There just was no exploit for it. A few months ago H.D. Moore
published the exploit and suddenly it rained "new" vulnerabilities in lots
of products.

The OSSTMM approach is different. One important thing is critical thinking.
Don't just copy a control that proved to work for another company under
other circumstances at another time, but think about what would be good for
your company now. Another thing is it focuses on operational security. This
means you don't just check if https is used, but also the web service is
configured right to use SSL in a secure manner. Even if no access is gained,
you still can make a statement about the safety controls that were
recognized, the flaws found in the controls, how they balance and reach a
conclusion about the safety of the target.

Now don't get me wrong. I am not telling ISSAF is worthless. I don't know it
good enough to make such a statement and I do believe there are
organizations and circumstances where ISSAF can increase security. I just
think the OSSTMM is a better approach.
It would be interesting to hear the opinion of an ISSAF expert (or even an
ISSAF evangelist).

Met vriendelijke groet,
Kind regards,

Cor Rosielle
Outpost24 / Lab106 

PS
If someone just want to flame me because of my opinion, try control
yourself. It doesn't add value to the discussion. I won't respond to flame
messages and delete the message just as easy as others do.


-----Original Message-----
From: listbounce () securityfocus com
[mailto:listbounce () securityfocus com] On Behalf Of Kurt M.D. John
Sent: dinsdag 9 november 2010 2:48
To: pen-test () securityfocus com
Cc: cgray () tcba com; sarthur () tcba com
Subject: Pentesting Methodology/Framework

Hey guys,

What are your thoughts on Information System Security Framework (ISSF)
vs.
Open Source Security Testing Methodology Manual (OSSTMM)?


Thanks,

Kurt M. D. John, CISA, C|EH, CPT



-----------------------------------------------------------------------
-
This list is sponsored by: Information Assurance Certification Review
Board

Prove to peers and potential employers without a doubt that you can
actually do a proper penetration test. IACRB CPT and CEPT certs require
a full practical examination in order to become certified.

http://www.iacertification.org
-----------------------------------------------------------------------
-




------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: