[Owasp-testing] OSSTMM manual

Matteo G.P. Flora mf at matteoflora.com
Fri Jan 19 05:35:39 EST 2007

On Jan 19, 2007, at 10:37 AM, Javier Fernández-Sanguino wrote:

> And also, the "Open Source" thing faded away long time ago (when  
> was introduced) the license is not at all OSS and neither is the
> development process anymore (just take a look at how many time they've
> had a 3.0 release and only provide it to those who pay)

Interesting.  I've had the opposite experience.

I know they are tight on controlling the submissions but they are  
very much still open as anyone who contribute regularry may tell you.  
Looking at 2.2: it has an OSS license.

Here in Italy I use OSSTMM for many Gov related work and it has  
served me well in the latest yers but that is only my experioence, of  

When I asked about 3.0 they said it isn't available because it wasn't  
finished AT ALL. When they released 2.0 publicly it was unfinished so  
it made problems because nobody knew if we should use it.  Now they  
said they won't release 3.0 publicly until it's done and reviewed  
because of how many companies and government organizations use it as  
a standard. It makes sense to me.
And to pay for beta access is okay because we all know there is no  
such thing as a free lunch.... I think hey have to pay their bills  

> I'd rather not link OWASP and OSSTMM. If some idea is interesting from
> the manual I suggest it was redone instead of reused.

You know, I've an attitude of mine that has saved me thousands of  
hours. It's pretty simple end isn't long at all to memoriza as it  
only states: "DO NOT reinvent the wheel".

Someone at OSSTMM did a very good job in some area, we here did a  
bunch of VERY GOOD work in another. Let's just sit and find out how  
to share this knowledge and come out with a finished product that is  
better than the single part and yet tokk us a fraction of the total  
time a rewrite would have taken. I don't really think Apache would  
have been so good had ANYONE in the world reimplemented an HTTP demon  
at every turn...

This are, of course, my unworthy 2 euroCents, but I though someone  
had to say it...

If needed I can directly contact Pete (Herzog) and ask him to sit  
around a table. And I can DRAG him to do it if needed ;) We're in  
good spoking terms, even if I'm not part od ISECOM and/or OSSTMM myself.

Let me know and I'm (as usual) here if needed.

Let's be a NOVELITY: let's BUILD instead of DEMOLISH the other parts...
I know that "divide et imperat (divide and rule)" motto is deep  
within every security guy and that your solution is always better  
than mine, but throwing another standard in the game would only  
(IMHO) confuse the final user and create a very high FUD factor. We  
don't want it, so for the sake of novelity let's cooperate...

At least, this is what i'd do....

Greetings for an almost-springtime Italy.


Matteo G.P. Flora | mf at matteoflora.com | www.MatteoFlora.com
Pres. Milano AIP-ITCS #2657 | IEEE CS Member #80409490 | WOT Notary
Direttore Tecnico Osservatorio Permanente Privacy e Sicurezza (OPSI)
Privacy & Security Consultant | Forensic Examiner | SEO Expert
Secure Channel | pgp F3B6BC10 | 1984-at-nym.hush-dot-com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2472 bytes
Desc: not available
Url : http://lists.owasp.org/pipermail/owasp-testing/attachments/20070119/be299f3d/attachment-0001.bin 

More information about the Owasp-testing mailing list