[Owasp-testing] OSSTMM manual

Daniel Cuthbert daniel.cuthbert at owasp.org
Fri Jan 19 08:32:38 EST 2007


Hang on one moment on the group hug there busta!!

The latest version is OSSTMM.3.0 (which is in RC mode). Now to access  
this you need to be a GOLD, or Silver, member and Gold costs $259 and  
Silver $49
If you want the free version, well thats stuck at ver 2.0 and has  
been for years now.

If you are saying we collaborate, and i have no issue with this, then  
something needs to be done.

It might say open source on the tin, but from where im sitting it  
looks like a pay as you go open source and im sorry, none of the  
content i have written will ever be charged for and this is one of  
the sole reasons i joined with Mark and Jeff when OWASP was started  
back in the day.


On 19 Jan 2007, at 20:11, Dinis Cruz wrote:

> Matteo, thank you very much for such elequent argument on the  
> collaboration between OWASP and ISECOM, which I completely agree.
>
> Let's remember that the objective here is to guive the OWASP  
> Testing Guide users the best available resource and information. So  
> it makes all sense to put in there references, comparions and notes  
> on other similar works that might be of value to the OWASP Testing  
> Guide readers.
>
> Let's build bridges here since I'm sure ISECOM users will also  
> benefit from the OWAPS Guide.
>
> Matteo got it spot on here: "Someone at OSSTMM did a very good job  
> in some area, we here did a bunch of VERY GOOD work in another.  
> Let's just sit and find out how to share this knowledge and come  
> out with a finished product that is better than the single part and  
> yet tokk us a fraction of the total time a rewrite would have  
> taken. ".
>
> So I proposed that we include a section (couple pages) in the OWASP  
> Testing Guide about the areas that ISECOM document are worth  
> looking at. And this pages should actually be co-writen by somebody  
> from ISECOM. Matteo can you see if Pete Herzog can help?
>
> Let's all have a group virtual hug now.... :)
>
> Great stuff, great debate, I like this new OWASP :)
>
> Dinis Cruz
> Chief OWASP Evangelist
> http://www.owasp.org
>
> On 1/19/07, Matteo G.P. Flora <mf at matteoflora.com> wrote:
> On Jan 19, 2007, at 10:37 AM, Javier Fernández-Sanguino wrote:
>
> > And also, the "Open Source" thing faded away long time ago (when
> > ISECOM
> > was introduced) the license is not at all OSS and neither is the
> > development process anymore (just take a look at how many time  
> they've
> > had a 3.0 release and only provide it to those who pay)
>
> Interesting.  I've had the opposite experience.
>
> I know they are tight on controlling the submissions but they are
> very much still open as anyone who contribute regularry may tell you.
> Looking at 2.2: it has an OSS license.
>
> Here in Italy I use OSSTMM for many Gov related work and it has
> served me well in the latest yers but that is only my experioence, of
> course...
>
> When I asked about 3.0 they said it isn't available because it wasn't
> finished AT ALL. When they released 2.0 publicly it was unfinished so
> it made problems because nobody knew if we should use it.  Now they
> said they won't release 3.0 publicly until it's done and reviewed
> because of how many companies and government organizations use it as
> a standard. It makes sense to me.
> And to pay for beta access is okay because we all know there is no
> such thing as a free lunch.... I think hey have to pay their bills
> somehow.
>
> > I'd rather not link OWASP and OSSTMM. If some idea is interesting  
> from
> > the manual I suggest it was redone instead of reused.
>
> You know, I've an attitude of mine that has saved me thousands of
> hours. It's pretty simple end isn't long at all to memoriza as it
> only states: "DO NOT reinvent the wheel".
>
> Someone at OSSTMM did a very good job in some area, we here did a
> bunch of VERY GOOD work in another. Let's just sit and find out how
> to share this knowledge and come out with a finished product that is
> better than the single part and yet tokk us a fraction of the total
> time a rewrite would have taken. I don't really think Apache would
> have been so good had ANYONE in the world reimplemented an HTTP demon
> at every turn...
>
> This are, of course, my unworthy 2 euroCents, but I though someone
> had to say it...
>
> If needed I can directly contact Pete (Herzog) and ask him to sit
> around a table. And I can DRAG him to do it if needed ;) We're in
> good spoking terms, even if I'm not part od ISECOM and/or OSSTMM  
> myself.
>
> Let me know and I'm (as usual) here if needed.
>
> Let's be a NOVELITY: let's BUILD instead of DEMOLISH the other  
> parts...
> I know that "divide et imperat (divide and rule)" motto is deep
> within every security guy and that your solution is always better
> than mine, but throwing another standard in the game would only
> (IMHO) confuse the final user and create a very high FUD factor. We
> don't want it, so for the sake of novelity let's cooperate...
>
> At least, this is what i'd do....
>
> Greetings for an almost-springtime Italy.
>
> MgpF
>
> --
> Matteo G.P. Flora | mf at matteoflora.com | www.MatteoFlora.com
> Pres. Milano AIP-ITCS #2657 | IEEE CS Member #80409490 | WOT Notary
> Direttore Tecnico Osservatorio Permanente Privacy e Sicurezza (OPSI)
> Privacy & Security Consultant | Forensic Examiner | SEO Expert
> Secure Channel | pgp F3B6BC10 | 1984-at-nym.hush-dot-com
>
>
>
>
>
>
>
>
> -- 
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.owasp.org/pipermail/owasp-testing/attachments/20070119/35a98e65/attachment.html 


More information about the Owasp-testing mailing list