[Owasp-board] [ISECOM-news] Updated Docs on OSSTMM 3

Tom Brennan tomb at owasp.org
Wed May 26 14:31:18 UTC 2010


Now we have a party.

Pete - OWASP has scaled by having project committees see:  http://www.owasp.org/index.php/Global_Committee_Pages  these groups focus on the core of OWASP Foundation.  We should work to map your volunteers to ours to collaborate on a joint efforts.

Look forward to meeting up with you in October - perhaps i can get you to do a talk at OWASP NYC - what are your dates in town?   http://www.owasp.org/index.php/NYNJMetro  


On May 26, 2010, at 9:59 AM, Pete Herzog wrote:

> Hi,
> 
> That's a good question. I guess it depends on the developers you have access to. There's always the need for new tools but what we really lack is anyone to develop them beyond a proof of concept. Even getting a PoC is difficult. So collaborating on tools might be interesting for both our organizations.
> 
> We have the SCARE tool (www.isecom.org/scare) for the C language but the same concept would be great for web app languages. What we need is a developer who can make the crawler and an expert for each web language which needs to be analyzed.
> 
> A few companies have melded OWASP testing guide and OSSTMM (Applied OSSTMM for Web Apps) from what I've heard but I have yet to see them. I have seen a guide which applies the OSSTMM 3 attack surface metrics to web apps but it's proprietary and in use by the company that made it. Any of that might be interesting if we had people who could do either of those.
> 
> Another possibility is applying trust properties to web sites. This would require writing quantification rules from each of the trust properties to determine the level of trustworthiness a site will have to the public or any other perspective we choose. The closer you are to the site the more you might know to determine your trust level. It would help companies determine how they can better secure their sites and run their sites in ways that will increase the amount of trust people have in them.
> 
> Well, those are my current ideas. I'll be flying into NY in October and will make my way up to Toronto for SecTor. I plan to be doing seminars along the way again. Perhaps there's synergy there with OWASP events?
> 
> I look forward to hearing back from you.
> 
> Sincerely,
> -pete.
> 
> -- 
> Pete Herzog - Managing Director - pete at isecom.org
> ISECOM - Institute for Security and Open Methodologies
> www.isecom.org - www.osstmm.org
> www.hackerhighschool.org - www.badpeopleproject.org
> 
> On 5/25/2010 8:47 PM, Tom Brennan wrote:
>> Pete,
>> 
>> What would you like to see  OWASP (www.owasp.org)  and ISECOM (www.isecom.org) do together in 2010+ ?
>> 
>> 
>> 
>> On May 25, 2010, at 2:37 PM, Pete Herzog wrote:
>> 
>>> New OSSTMM Sample from Chapter 2 released publicly! The most current
>>> Table of Contents released publicly! Get it now at www.osstmm.org!
>>> 
>>> Sincerely,
>>> -pete.
>>> 
>>> --
>>> Pete Herzog - Managing Director - pete at isecom.org
>>> ISECOM - Institute for Security and Open Methodologies
>>> www.isecom.org - www.osstmm.org
>>> www.hackerhighschool.org - www.badpeopleproject.org
>>> 
>>> ------------------------------------------------------------------------------
>>> 
>>> 
>>> ISECOM-news mailing list
>>> ISECOM-news at lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/isecom-news
>> 
>> 
> 
> 




More information about the Owasp-board mailing list