[Owasp-leaders] OSSTMM Version 3

Tony Turner tony.turner at owasp.org
Wed Oct 16 19:38:11 UTC 2013

I'm probably going to paint a target on my forehead for this, but you say
there are "better resources out there". Better for what? People use OSSTMM
in different ways. For RAV, assessment methodology, common language for
penetration testing, etc.

I've used their RAV's in the past, but it requires a mindset shift that is
unlike anything else out there. Am I doing 100% OSSTMM assessments? For the
most part no, because it's so different for most people to even comprehend
what is required that the level of effort is counter-productive unless you
are on a team that is already doing this stuff. The value I think is
largely in being a different way of thinking about security. The concept of
attack surface metrics driving risk contextually as opposed to trying to
fabricate some ludicrous risk metric like CVSS (yes RAV has risk in it's
name but it doesn't actually quantify risk) runs completely counter to the
mindset that we need to layer a bunch of complex security controls on top
of our assets to properly protect them. Their focus on trust metrics and a
host of other research is unlike anything else I've seen out there.

As far as being unethical? The OSSTMM is only closed in it's development
process. The finished document is fairly open as far as being accessible
and free to utilize. I won't wade too deeply into those waters though
because I'm not an attorney and really could care less about labels. I have
honestly not spent much time being upset about the restrictions page
because I have never felt constrained by my use of the materials. I think
there's far too much focus on theoretical situations where their model
might not fit, and not enough time actually identifying the value that CAN
be achieved. Could it be more open? Sure. But I'm a glass is half-full
kinda guy.

Does ISECOM contribute to the overall body of work in the InfoSec space? I
would say yes. Why throw all of that away because of a philosophical
difference? Oh, that's right. Because it's popular to bash ISECOM right
now. I have a lot of respect for you as a technologist Justin, but I do not
agree with you. Understand the tools you are working with of course, but
don't throw away the hammer because the logo says it's a screwdriver.

Tony Turner
OWASP Orlando Chapter Leader

On Wed, Oct 16, 2013 at 3:05 PM, Justin Searle <justin at meeas.com> wrote:

> John, it is unlikely that OWASP will ever have much to do with OSSTMM.
> While they have open source in their name, their document is anything but.
> Check out the restrictions page in their document.  OWASP projects must be
> open source as per our mission, and acording to the OSS definition, open
> source can't restrict commercial use, which OSSTMM requires for use of
> their material.  Worse they claim far more than simple copyright of the
> material, they claim ownership of the ideas contained and the methodology,
> which I'm pretty sure isn't legal in the US and most countries without
> being granted a patent.  Honestly, the ISO and NIST standards don't claim
> to be open source but are far more open than the OSSTMM is.  It makes me
> sick everytime I read their restrctions page.  It's a great document, but
> it is about as far from open source as you can get.  It reminds me when
> Microsoft tried to claim their software was open source because they
> allowed some of their clients to see the source.
> IMHO, I think we should discourage people from its use.  I think their
> actions are unethical to claim to be something they are not.  And honestly,
> there are better resources out there.
> Justin Searle
> Managing Partner - UtiliSec
> +1 801 784 2052
> justin at utilisec.com
> justin at meeas.com
> On Oct 16, 2013 11:26 AM, "Rogers, John M." <John.Rogers at lfg.com> wrote:
>> OWASP Leaders,****
>> ** **
>> I was asked by an OWASP Member if we had any OWASP resources
>> associated/familiar with OSSTMM Version 3.****
>> ** **
>> The specific questions are:****
>> ** **
>> “Has anyone outside of ISECOM used OSSTMM Version 3 as their primary
>> framework in an assessment?  If so, were the changes from Version 2 to
>> Version 3 significant in added value? Are there informed opinions/arguments
>> making the case that the "rav" is more than just another entry in a large
>> and always growing set of security metrics clamoring for attention?”****
>> ** **
>> Version 3.02 of the OSSTMM is freely available at
>> http://www.isecom.org/mirror/OSSTMM.3.pdf.  Newer versions are in draft
>> form, but only available to paid subscribers.****
>> ** **
>> Thanks.****
>> ** **
>> jr****
>> [image: Description: C:\Documents and Settings\jmroger\Application
>> Data\Microsoft\Signatures\sb.jpg]
>> John M. Rogers, CISSP
>> Senior Application Security Engineer
>> Lincoln Financial Group, 8801 Indian Hills Drive 8972, Omaha, NE 68114
>> Phone: Work: 402-361-7343, Cell: 402-536-0722
>> Email: John.Rogers at lfg.com
>> Web: www.lfg.com ****
>> *You’re In Charge sm*****
>> ██████ *WearYellow, LIVESTRONG!* <http://www.livestrong.org> ██████****
>> ** **
>>  Notice of Confidentiality: **This E-mail and any of its attachments may
>> contain
>> Lincoln National Corporation proprietary information, which is
>> privileged, confidential,
>> or subject to copyright belonging to the Lincoln National Corporation
>> family of
>> companies. This E-mail is intended solely for the use of the individual
>> or entity to
>> which it is addressed. If you are not the intended recipient of this
>> E-mail, you are
>> hereby notified that any dissemination, distribution, copying, or action
>> taken in
>> relation to the contents of and attachments to this E-mail is strictly
>> prohibited
>> and may be unlawful. If you have received this E-mail in error, please
>> notify the
>> sender immediately and permanently delete the original and any copy of
>> this E-mail
>> and any printout. Thank You.**
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

Tony Turner
OWASP Orlando Chapter Founder/Co-Leader
tony.turner at owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20131016/f636b30e/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 3098 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20131016/f636b30e/attachment.jpg>

More information about the OWASP-Leaders mailing list