[Owasp-testing] OSSTMM manual

Dinis Cruz dinis at ddplus.net
Fri Jan 19 08:11:22 EST 2007


Matteo, thank you very much for such elequent argument on the collaboration
between OWASP and ISECOM, which I completely agree.

Let's remember that the objective here is to guive the OWASP Testing Guide
users the best available resource and information. So it makes all sense to
put in there references, comparions and notes on other similar works that
might be of value to the OWASP Testing Guide readers.

Let's build bridges here since I'm sure ISECOM users will also benefit from
the OWAPS Guide.

Matteo got it spot on here: "Someone at OSSTMM did a very good job in some
area, we here did a bunch of VERY GOOD work in another. Let's just sit and
find out how to share this knowledge and come out with a finished product
that is better than the single part and yet tokk us a fraction of the total
time a rewrite would have taken. ".

So I proposed that we include a section (couple pages) in the OWASP Testing
Guide about the areas that ISECOM document are worth looking at. And this
pages should actually be co-writen by somebody from ISECOM. Matteo can you
see if Pete Herzog can help?

Let's all have a group virtual hug now.... :)

Great stuff, great debate, I like this new OWASP :)

Dinis Cruz
Chief OWASP Evangelist
http://www.owasp.org

On 1/19/07, Matteo G.P. Flora <mf at matteoflora.com> wrote:
>
> On Jan 19, 2007, at 10:37 AM, Javier Fernández-Sanguino wrote:
>
> > And also, the "Open Source" thing faded away long time ago (when
> > ISECOM
> > was introduced) the license is not at all OSS and neither is the
> > development process anymore (just take a look at how many time they've
> > had a 3.0 release and only provide it to those who pay)
>
> Interesting.  I've had the opposite experience.
>
> I know they are tight on controlling the submissions but they are
> very much still open as anyone who contribute regularry may tell you.
> Looking at 2.2: it has an OSS license.
>
> Here in Italy I use OSSTMM for many Gov related work and it has
> served me well in the latest yers but that is only my experioence, of
> course...
>
> When I asked about 3.0 they said it isn't available because it wasn't
> finished AT ALL. When they released 2.0 publicly it was unfinished so
> it made problems because nobody knew if we should use it.  Now they
> said they won't release 3.0 publicly until it's done and reviewed
> because of how many companies and government organizations use it as
> a standard. It makes sense to me.
> And to pay for beta access is okay because we all know there is no
> such thing as a free lunch.... I think hey have to pay their bills
> somehow.
>
> > I'd rather not link OWASP and OSSTMM. If some idea is interesting from
> > the manual I suggest it was redone instead of reused.
>
> You know, I've an attitude of mine that has saved me thousands of
> hours. It's pretty simple end isn't long at all to memoriza as it
> only states: "DO NOT reinvent the wheel".
>
> Someone at OSSTMM did a very good job in some area, we here did a
> bunch of VERY GOOD work in another. Let's just sit and find out how
> to share this knowledge and come out with a finished product that is
> better than the single part and yet tokk us a fraction of the total
> time a rewrite would have taken. I don't really think Apache would
> have been so good had ANYONE in the world reimplemented an HTTP demon
> at every turn...
>
> This are, of course, my unworthy 2 euroCents, but I though someone
> had to say it...
>
> If needed I can directly contact Pete (Herzog) and ask him to sit
> around a table. And I can DRAG him to do it if needed ;) We're in
> good spoking terms, even if I'm not part od ISECOM and/or OSSTMM myself.
>
> Let me know and I'm (as usual) here if needed.
>
> Let's be a NOVELITY: let's BUILD instead of DEMOLISH the other parts...
> I know that "divide et imperat (divide and rule)" motto is deep
> within every security guy and that your solution is always better
> than mine, but throwing another standard in the game would only
> (IMHO) confuse the final user and create a very high FUD factor. We
> don't want it, so for the sake of novelity let's cooperate...
>
> At least, this is what i'd do....
>
> Greetings for an almost-springtime Italy.
>
> MgpF
>
> --
> Matteo G.P. Flora | mf at matteoflora.com | www.MatteoFlora.com
> Pres. Milano AIP-ITCS #2657 | IEEE CS Member #80409490 | WOT Notary
> Direttore Tecnico Osservatorio Permanente Privacy e Sicurezza (OPSI)
> Privacy & Security Consultant | Forensic Examiner | SEO Expert
> Secure Channel | pgp F3B6BC10 | 1984-at-nym.hush-dot-com
>
>
>
>
>
>


--
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.owasp.org/pipermail/owasp-testing/attachments/20070119/3639a50c/attachment-0001.html 


More information about the Owasp-testing mailing list