Penetration Testing mailing list archives
RE: Pentest Criteria
From: "Cor Rosielle" <cor () outpost24 com>
Date: Thu, 9 Sep 2010 12:23:26 +0200
In my opinion the OSSTMM is truly open source. I'll tell you why. About two years ago there was something in the OSSTMM I disagreed with and sent an email about that. I can't even recall the mail address I sent it to. Pete replied and this was the start of my involvement in the OSSTMM. In no time I was a reviewer and shortly after I was a contributor. This is an essential part of an open source project: peer review and allowing community contribution to the project. I got copies of OSSTMM3 without paying for it. At least I paid no money, I invested my time (nowadays our company does contribute to ISECOM as an affiliate partner, but that's not how I got my first copies of OSSTMM3; those were shared free of costs within an open source project). OSSTMM3 is not completely done yet, but like Pete wrote there is plenty available in bits and pieces. And if you care to spend time on it and understand what it says, you'll get an idea about what to expect. You'll also see it is quite different from what the major part of the security world currently thinks is secure (or even sells as secure). But bits and pieces is what is available now and you can learn already a lot from it. The "world" must wait for the complete document until the document is completed. I would say this is obvious and don't see why this is not fair. Cor Rosielle
-----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Pete Herzog Sent: woensdag 8 september 2010 23:19 To: Wim Remes Cc: Ulisses Castro; p0wnsauc3 () googlemail com; TAS; Kurt M. John; pen- test () securityfocus com Subject: Re: Pentest Criteria Wim,can you explain how exactly an ISO committee is reviewing a "writtenmanual" that does not exist yet ? And do you believe more in the feedback from an ISO committee than from a communitythat is working on security in the trenches every single day ?You misunderstand. ISO isn't reviewing the OSSTMM 3 to better the OSSTMM- they are doing it to see how it fits in the ISO family. The PEER REVIEW of the OSSTMM happens by anyone who can and will review it. We put out calls for reviewers and people show up to review it. Most people never respond back but some do and we go on from there. Some of the best reviews though come from people who just take that which we put out there and start asking questions about it. The written part is a draft. Just like code that doesn't work, it's just ideas and concepts that's getting put together. The hardest part is putting all the ideas and concepts together so they make sense. So we can publish parts, and we have, but we don't have a whole. It's the equivalent of non-functional code. But just so you know we've also provided the OSSTMM 3 draft in parts to university students working on thesis, NIST, the German government's BSI, the Italian government, a few other government offices that I don't remember anymore and many contributors and reviewers from around the world. Again, would you be happier if we published nothing at all until each full version is complete?On another note, OSSTMM 2.2 is even no longer hosted on the ISECOMwebsite. Does it suck THAT hard ? We don't host it because we could no longer support it. After many requests regarding updates for 2.2 we realized we had to remove it as a direct link off our site to show that we are working on something new. But it's still there. We still carry it in our mirrors. See: http://isecom.securenetltd.com/osstmm.en.2.2.pdf It's not gone from public use. It's just no longer updated by ISECOM. We can't support it and work on 3.0.Look, people engaged in using 2.2 because it was good, it wasrelevant and it was open. They could refer their customers to an open standard, life was good. Companies invested themselvesin using 2.2 because it was worth something. Then came the promiseof 3 and companies invested themselves into a paywalled document trusting that, by what they saw from 2.2, would kick ass.They got people trained on a subset of an unexisting manual at fullprice , they got people contributing to 3 (how many and how much is only known by you) believing one day the sowing would endand the reaping could start. More importantly, they believed YOU that3 would make everything about security different. They trusted YOU. People used 2.2 because that's what there was. When we realized that it was too broken to advance and required a new re-write, we did that. We tried to carry 2.2 as long as we could but sometime in 2008 we had to stop supporting it. The new material just did not fit with the old concepts. The companies who invested in 3.0 are fine for doing so. It's a living breathing project that's growing. They are learning new and better concepts for having invested in it. Many of these companies are also contributors and sponsors so they have versions of the draft they can show their clients.What is it you don't get ?I don't get your anger. Nobody said the OSSTMM is dead or was going away. If anything, we've been showing more and more each day that it's alive and we're working on it. Listen, I do think OSSTMM 3 will make security different and better. I know it's better. I don't think anyone is let down by it. But I can tell you that responding to faulty accusations on mailing lists won't make it happen any faster. -pete. -- Pete Herzog - Managing Director - pete () isecom org ISECOM - Institute for Security and Open Methodologies www.isecom.org - www.osstmm.org www.hackerhighschool.org - www.badpeopleproject.org ----------------------------------------------------------------------- - This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ----------------------------------------------------------------------- -
------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Pentest Criteria Kurt M. John (Sep 03)
- Re: Pentest Criteria TAS (Sep 05)
- Re: Pentest Criteria Pete Herzog (Sep 07)
- Re: Pentest Criteria Wim Remes (Sep 08)
- Re: Pentest Criteria Pete Herzog (Sep 08)
- Message not available
- Re: Pentest Criteria Pete Herzog (Sep 08)
- Re: Pentest Criteria Wim Remes (Sep 08)
- Re: Pentest Criteria Pete Herzog (Sep 08)
- Message not available
- Re: Pentest Criteria Kurt M. John (Sep 09)
- RE: Pentest Criteria Cor Rosielle (Sep 09)
- Message not available
- Re: Pentest Criteria Pete Herzog (Sep 09)
- Re: Pentest Criteria Pete Herzog (Sep 07)
- Re: Pentest Criteria TAS (Sep 05)