Re: Pentest Criteria

[Pete Herzog <lists () isecom org>]

Wim,

Your opinion is duly respected. I doubt I can say anything to you 
which I haven't said before. OSSTMM 3 is not done. It's been a lot of 
work. It's close to being done. Even I don't have a finished version. 
I'm sorry.

But you know I disagree with you about open source. The OSSTMM is 
"open source" because it doesn't hide the method inside some tool or 
checklist. All concepts, ideas, processes, formulas and methods are 
openly explained and always have been. The fact that it's not finished 
and therefore not available for public release yet does not affect if 
it's open source. As for the people who invested in learning the 
OSSTMM and applying it in business, including training, they have all 
gotten newer, better security knowledge out of the process than all 
that other garbage that calls itself security out there. So I don't 
see the loss there. The fact that the manual itself is not done does 
not mean we cannot start helping people with what we know already. We 
already published multiple things on the trust metrics, the ravs, the 
rav formula, a rav calculation sheet, the STAR for businesses who want 
to make OSSTMM 3 tests already, and even the chapter which teaches 
people the framework for a valid, accurate, and useful security test. 
But maybe you missed all that.

So is it really so bad then we ask that people who need it or use it 
but can't work on it to subscribe? If you work on it (or any ISECOM 
project), we'll get you the OSSTMM 3 draft sooner. If you don't want 
to work on it then you wait until it's done. I don't think I'm the 
only one who finds that to be fair.

But I've told you all that before. The truth is that ISECOM wants to 
get the OSSTMM 3 done and publish it openly and freely. We have much 
more to gain from getting the OSSTMM 3 available to the public than 
not. So it is our intention to do so and we will do it as soon as we can.

Sincerely,
-pete.

--
Pete Herzog - Managing Director - pete () isecom org
ISECOM - Institute for Security and Open Methodologies
www.isecom.org - www.osstmm.org
www.hackerhighschool.org - www.badpeopleproject.org



On 9/8/2010 7:29 AM, Wim Remes wrote:
> Pete,
>
> with all due respect but don't you think you have abused the open source predicament long enough for something that 
> will never be open nor free?
> I know companies that got involved with v2, that invested in getting resources trained in v3, or the subset of it that 
> was available at the moment of the trianing, and now have the
> outlook that they'll be pointing their customers to another ISO standard instead of an open source standard and.
>
> At the moment OSSTMM 3 does nothing but frustrate the heck out of people who invested time in either v2 or v3 based on 
> idealism and empty promises.
>
> Cheers,
> Wim
>
> On 05 Sep 2010, at 20:36, Pete Herzog wrote:
>
> > > > What if a client wants criteria reported as well. I'm not sure if there
> > > > is one I can use without running the risk of it being too far removed.
> > > > Is there a frame work or best practice which lends itself to pentests?
> > > > Or do I have to try to layer NIST on top of it
> > > >
> > > > Thoughts?
> >
> > OSSTMM 3 does exactly that. Currently it's being reviewed to either include in the ISO27000 series or be its own ISO. 
> > It has operational security metrics which allow you to rate vulnerabilities on what they do and it works very very well for 
> > pen test.
> >
> > Sincerely,
> > -pete.
> >
> > --
> > Pete Herzog - Managing Director - pete () isecom org
> > ISECOM - Institute for Security and Open Methodologies
> > www.isecom.org - www.osstmm.org
> > www.hackerhighschool.org - www.badpeopleproject.org
> >
> > ------------------------------------------------------------------------
> > This list is sponsored by: Information Assurance Certification Review Board
> >
> > Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
> > and CEPT certs require a full practical examination in order to become certified.
> > http://www.iacertification.org
> > ------------------------------------------------------------------------



------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------