The Open Source Security Testing Methodology Manual

From Wikipedia, the free encyclopedia

The OSSTMM provides a methodology for a thorough security test. A security test is an accurate measurement of security at an operational level, void of assumptions and anecdotal evidence. A proper methodology makes for a valid security measurement which is consistent and repeatable. An open methodology means that it is free from political and corporate agendas. An open source methodology allows for free dissemination of information and intellectual property. This is the OSSTMM. It is the collective development of a true security test and the extraction of factual security metrics.

Started at the end of 2000, the OSSTMM quickly grew over the following years to encompass all security channels with the applied experience of thousands of reviewers. The OSSTMM had been housed under the domain ideahamster.org where it received a steady amount of traffic from contributors dubbed as ideahamsters. An "ideahamster" is the nickname for people who were spinning out new ideas like a hamster on a wheel. However, as the OSSTMM grew in popularity, the organization and its name were pressured to grow up as well. In November of 2002, ideahamster announced the name change to ISECOM which actually stood for the Institute for Security and Open Methodologies. By January 2003, ISECOM had been registered as a non-profit organization in Spain and in the United States of America and it officially served the public good. However, by 2005, the OSSTMM no longer stood for just a way of ethical hacking; it became a way to verify security was being done right at the operational level. As audits became mainstream the application of a security test meant truth-finding. Auditors reviewing operations found that "best practice" by definition was no longer best for everyone no matter how it seemed on paper.

The ultimate goal is to set a standard in security testing methodology which when used results in meeting practical and operational security requirements. The indirect result is creating a discipline that can act as a central point in all security tests regardless of the size of the organization, technology, or defenses.

The OSSTMM begins with a review of the scope's posture and ends with verification and result comparisons to any alarms, alerts, or access logs. This is a full-circle concept where the first step is to be aware of the legalities and operational requirements of those or that which operate and interact with the scope. The methodology then ends with reviewing the records our tests have left behind. In simplest terms: you know what you need to do, you do it, and then you check what you have done.

As the OSSTMM continues to grow, it has never lost its vendor-free, politically neutral values. The methodology has continued to provide straight, factual tests for factual answers. It includes information for project planning, quantifying results, and the Rules of Engagement for those who will perform the security tests. As a methodology you cannot learn from it how or why something should be tested however, what you can do is incorporate it into your testing needs, harmonize it with existing laws and policies, and use it as the framework it is to assure a thorough security test through all channels to information or physical property.

It's recommended you read through the manual once completely before putting it to practice. It aims to be a straight-forward tool for the implementation and documentation of a security test. Further assistance is available for those who need help in understanding and implementing this methodology at the ISECOM website.

ISECOM, the directors of the manual, provide professional certifications for security testers, OPST and security analysts, OPSA. These certifications require applied knowledge and skills to pass which better differentiates between those who can walk the walk and those who can only talk the talk. Both the OPST and OPSA have become requirements for many countries to provide government security tests, audits, and penetration tests. Unlike other certifications in the hacking genre, the certified Professional Security Testers and Analysts had to prove the ability to apply their skills efficiently and with exactness. This level of preciseness under time pressure means losing bad habits, working with formal methods, and applying formal verification to get factual results. For this reason, those who are OSSTMM certified are finding themselves more readily employed than those with other penetration testing certifications in many fields even outside of IT.

The OSSTMM has been re-developed into everything from security policies to lessons for High Schoolers. With its unique, straight-forward approach to fact finding, the OSSTMM is even being used to test business processes for weaknesses where fraud, money laundering, and other types of crime can penetrate.

As Pete Herzog, the creator of the OSSTMM said, "The OSSTMM is no more than the recipe for making the perfect cake in any environment."