[Owasp-leaders] OSSTMM Version 3

Justin Searle justin at meeas.com
Wed Oct 16 19:05:03 UTC 2013


John, it is unlikely that OWASP will ever have much to do with OSSTMM.
While they have open source in their name, their document is anything but.
Check out the restrictions page in their document.  OWASP projects must be
open source as per our mission, and acording to the OSS definition, open
source can't restrict commercial use, which OSSTMM requires for use of
their material.  Worse they claim far more than simple copyright of the
material, they claim ownership of the ideas contained and the methodology,
which I'm pretty sure isn't legal in the US and most countries without
being granted a patent.  Honestly, the ISO and NIST standards don't claim
to be open source but are far more open than the OSSTMM is.  It makes me
sick everytime I read their restrctions page.  It's a great document, but
it is about as far from open source as you can get.  It reminds me when
Microsoft tried to claim their software was open source because they
allowed some of their clients to see the source.

IMHO, I think we should discourage people from its use.  I think their
actions are unethical to claim to be something they are not.  And honestly,
there are better resources out there.

Justin Searle
Managing Partner - UtiliSec
+1 801 784 2052
justin at utilisec.com
justin at meeas.com
On Oct 16, 2013 11:26 AM, "Rogers, John M." <John.Rogers at lfg.com> wrote:

> OWASP Leaders,****
>
> ** **
>
> I was asked by an OWASP Member if we had any OWASP resources
> associated/familiar with OSSTMM Version 3.****
>
> ** **
>
> The specific questions are:****
>
> ** **
>
> “Has anyone outside of ISECOM used OSSTMM Version 3 as their primary
> framework in an assessment?  If so, were the changes from Version 2 to
> Version 3 significant in added value? Are there informed opinions/arguments
> making the case that the "rav" is more than just another entry in a large
> and always growing set of security metrics clamoring for attention?”****
>
> ** **
>
> Version 3.02 of the OSSTMM is freely available at
> http://www.isecom.org/mirror/OSSTMM.3.pdf.  Newer versions are in draft
> form, but only available to paid subscribers.****
>
> ** **
>
> Thanks.****
>
> ** **
>
> jr****
>
> [image: Description: C:\Documents and Settings\jmroger\Application
> Data\Microsoft\Signatures\sb.jpg]
> John M. Rogers, CISSP
> Senior Application Security Engineer
> Lincoln Financial Group, 8801 Indian Hills Drive 8972, Omaha, NE 68114
> Phone: Work: 402-361-7343, Cell: 402-536-0722
> Email: John.Rogers at lfg.com
> Web: www.lfg.com ****
>
> *You’re In Charge sm*****
>
> ██████ *WearYellow, LIVESTRONG!* <http://www.livestrong.org> ██████****
>
> ** **
>
>  Notice of Confidentiality: **This E-mail and any of its attachments may
> contain
> Lincoln National Corporation proprietary information, which is privileged,
> confidential,
> or subject to copyright belonging to the Lincoln National Corporation
> family of
> companies. This E-mail is intended solely for the use of the individual or
> entity to
> which it is addressed. If you are not the intended recipient of this
> E-mail, you are
> hereby notified that any dissemination, distribution, copying, or action
> taken in
> relation to the contents of and attachments to this E-mail is strictly
> prohibited
> and may be unlawful. If you have received this E-mail in error, please
> notify the
> sender immediately and permanently delete the original and any copy of
> this E-mail
> and any printout. Thank You.**
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20131016/53f2e6c5/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 3098 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20131016/53f2e6c5/attachment-0001.jpg>


More information about the OWASP-Leaders mailing list