[Owasp-leaders] OSSTMM Version 3

Justin Searle justin at meeas.com
Thu Oct 24 09:27:59 UTC 2013

Sorry Tony.  Perhaps I went a bit far with my statement about discouraging
it's use.  As I said I find value in their document and think they did a
great job in putting it together.  And like you, I'm also not a proponent
of CVSS.

> As far as being unethical? The OSSTMM is only closed in it's development
process. The finished document is fairly open as far as being accessible
and free to utilize.

Actually I'm less concerned with the development process than the
licences.  They document really isn't that open nor free to utilize.  As
the person in OWASP that gets forwarded all the licensing questions, I can
tell you that trying to use OSSTMM would be a legal nightmare if you needed
to make lawyers happy.  Please do have a good read through their
restrictions page.  You can't really get much less compatible with open
source licenses.  None of our OWASP projects (documents nor tools) can be
based on their methology, nor contain any OSSTMM content, according to the

> I won't wade too deeply into those waters though because I'm not an
attorney and really could care less about labels.

The ethics remark I still do believe though.  I don't think is just a label
issue.  It the way the project is portrait in addition to its name.  Why
would one claim to be an open source project when you don't meet the
publically accepted definition nor be compatible with any other OSS
project.  I love that it's a freely distributed document created to help
the community.  But I think calling it an OSS project, and worse, including
OSS in it's name is dishonest and misleading.

> I have honestly not spent much time being upset about the restrictions
page because I have never felt constrained by my use of the materials.

Most people aso sign legal documents without reading them.  Being a
business owner and a consultant, I do read the legal bits, both to protect
my company and to provide better advice for my clients.  Trust me, it's
dangerous to use as written.

> I think there's far too much focus on theoretical situations where their
model might not fit, and not enough time actually identifying the value
that CAN be achieved.

I'm in complete agreement with you here.  I like the fact they approach
their methology from a different perspective.

> Does ISECOM contribute to the overall body of work in the InfoSec space?
I would say yes.

Strongly agreed.

> Why throw all of that away because of a philosophical difference?

I don't think we should throw it away, I just don't think it is usable with
its current terms.  And it's not about philosophical differences.  There
are serious legal issues here, especially in the context of OWASP and our
opensource projects.

> Oh, that's right. Because it's popular to bash ISECOM right now.

Sorry, my control system focus of late must have me living in a bubble.  I
honestly haven't heard anyone else bash the group nor the document.  My
feelings are my own and originated in my own head.

>I have a lot of respect for you as a technologist Justin, but I do not
agree with you.

Sorry if I had attached too much emotion to me previous post.  I hope this
follow up has helped clarify that it isn't a philosophy concern but rater a
legal concern that prompted my response.

> Understand the tools you are working with of course, but don't throw away
the hammer because the logo says it's a screwdriver.

Honestly, one of my largest concerns are for our project leaders thinking
of OSSTMM as a hammer that they can freely mix with their other OWASP
tools.  If the never look behind the OSS label in the document name, they
could be making serious legal mistakes.  I wish we could expound upon
OSSTMM in our testing guide and other docs, but doing more than referencing
there is a doc called OSSTMM is explicitly prohibited by the OSSTMM.  I
would also love to see an OWASP tool created to help people perform OSSTMM
tests, but that is also restricted.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20131024/f9aa550b/attachment.html>

More information about the OWASP-Leaders mailing list