[Owasp-leaders] OSSTMM Version 3

Tobias tobias.gondrom at owasp.org
Thu Oct 24 23:54:20 UTC 2013

Hi Justin and Tony, 

and maybe one more comment on this below in support of Justin's points. 
Intentionally I will not go into any discussion on quality or usefulness
of OSSTMM itself, as this seems open for debate, but will stay with the
hard facts of the license only.

Just my 5cents, Tobias

On 24/10/13 10:27, Justin Searle wrote:
> Sorry Tony.  Perhaps I went a bit far with my statement about
> discouraging it's use.  As I said I find value in their document and
> think they did a great job in putting it together.  And like you, I'm
> also not a proponent of CVSS.
> > As far as being unethical? The OSSTMM is only closed in it's
> development process. The finished document is fairly open as far as
> being accessible and free to utilize.
> Actually I'm less concerned with the development process than the
> licences.  They document really isn't that open nor free to utilize. 
> As the person in OWASP that gets forwarded all the licensing
> questions, I can tell you that trying to use OSSTMM would be a legal
> nightmare if you needed to make lawyers happy.  Please do have a good
> read through their restrictions page.  You can't really get much less
> compatible with open source licenses.  None of our OWASP projects
> (documents nor tools) can be based on their methology, nor contain any
> OSSTMM content, according to the OSSTMM.

I share this concern very much. I am not a lawyer either, but to ignore
the law is a very dangerous path. And to build on stuff that is
basically only in the name open source but definitely not free, is not
There are some good real free open source license models. If OSSTMM is
changing to one of them, we could have this discussion, otherwise we
should not invest effort on supporting something that is in the end
effectively not-free (even if it may suggest in the name otherwise).
And just to be clear this assessment on non-free is not my own, this is
based on the creative commons.
OSSTMM uses the license "Attribution-NonCommercial-NoDerivs 3.0 Unported
(CC BY-NC-ND 3.0)". Btw. as you know, this license would obviously not
be acceptable for an OWASP project
(https://www.owasp.org/index.php/OWASP_Licenses) and if you go to the CC
website, you will see that the OSSTMM's CC BY-NC-ND 3.0 license is in
fact "not a Free Culture License." as judged by CC themselves.

Just fyi: a real free license is e.g. Creative Commons Attribution 3.0
(CC BY 3.0).

> > I won't wade too deeply into those waters though because I'm not an
> attorney and really could care less about labels.
> The ethics remark I still do believe though.  I don't think is just a
> label issue.  It the way the project is portrait in addition to its
> name.  Why would one claim to be an open source project when you don't
> meet the publically accepted definition nor be compatible with any
> other OSS project.  I love that it's a freely distributed document
> created to help the community.  But I think calling it an OSS project,
> and worse, including OSS in it's name is dishonest and misleading.

I have to agree with Justin.

> > I have honestly not spent much time being upset about the
> restrictions page because I have never felt constrained by my use of
> the materials.
> Most people aso sign legal documents without reading them.  Being a
> business owner and a consultant, I do read the legal bits, both to
> protect my company and to provide better advice for my clients.  Trust
> me, it's dangerous to use as written.
> > I think there's far too much focus on theoretical situations where
> their model might not fit, and not enough time actually identifying
> the value that CAN be achieved.
> I'm in complete agreement with you here.  I like the fact they
> approach their methology from a different perspective.
> > Does ISECOM contribute to the overall body of work in the InfoSec
> space? I would say yes.
> Strongly agreed.
> > Why throw all of that away because of a philosophical difference?
> I don't think we should throw it away, I just don't think it is usable
> with its current terms.  And it's not about philosophical
> differences.  There are serious legal issues here, especially in the
> context of OWASP and our opensource projects. 

Indeed. This is actually very practical and not that philosophical.
Their current license explicitly says "we don't want to allow any
derivatives or commercial use" of their stuff. So OWASP must respect
their legal rights and not make any derivatives of it. It is their
choice to not use a "free culture license". And as long as they do that,
it would be dangerous to break the law of their license. And in fact we
should even be careful with any references to OSSTMM and if you would
mention it immediately also give people the clear advise that this is
not free to use like all OWASP material.

> > Oh, that's right. Because it's popular to bash ISECOM right now.
> Sorry, my control system focus of late must have me living in a
> bubble.  I honestly haven't heard anyone else bash the group nor the
> document.  My feelings are my own and originated in my own head.
> >I have a lot of respect for you as a technologist Justin, but I do
> not agree with you.
> Sorry if I had attached too much emotion to me previous post.  I hope
> this follow up has helped clarify that it isn't a philosophy concern
> but rater a legal concern that prompted my response.
> > Understand the tools you are working with of course, but don't throw
> away the hammer because the logo says it's a screwdriver.
> Honestly, one of my largest concerns are for our project leaders
> thinking of OSSTMM as a hammer that they can freely mix with their
> other OWASP tools.  If the never look behind the OSS label in the
> document name, they could be making serious legal mistakes.  I wish we
> could expound upon OSSTMM in our testing guide and other docs, but
> doing more than referencing there is a doc called OSSTMM is explicitly
> prohibited by the OSSTMM.  I would also love to see an OWASP tool
> created to help people perform OSSTMM tests, but that is also restricted.
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20131025/32b67784/attachment-0001.html>

More information about the OWASP-Leaders mailing list