[Owasp-testing] OSSTMM manual

Javier Fernández-Sanguino jfernandez at germinus.com
Fri Jan 19 08:58:38 EST 2007

Matteo G.P. Flora dijo:
> On Jan 19, 2007, at 10:37 AM, Javier Fernández-Sanguino wrote:
>> And also, the "Open Source" thing faded away long time ago (when ISECOM
>> was introduced) the license is not at all OSS and neither is the
>> development process anymore (just take a look at how many time they've
>> had a 3.0 release and only provide it to those who pay)
> Interesting.  I've had the opposite experience.
> I know they are tight on controlling the submissions but they are very 
> much still open as anyone who contribute regularry may tell you. Looking 
> at 2.2: it has an OSS license.

This mail might sound harsh, but I just want to get the facts straight 
for everyone interested. I sincerely think that OWASP would be better 
off collaborating with Information Systems Security Assessment Framework 
(ISSAF) than with ISECOM's OSSTM. But, then again, it's not my call.

Does OSSTM really use an OSS license? I'm sorry I'm going to be the one 
that dissapoints you, but the answer is a very big NO.

Here are the facts:

* Version 2.0 (released february 2003) refered to the GPL but had this 
statement in the front page of the document: "Any information contained 
within this document may not be modified or sold without the express 
consent of the author."

* Version 2.2 (released november 2006) [1] (c)footer states "Any 
information contained within this document may not be modified or sold 
without the express consent of ISECOM. OSSTMM for free dissemination 
under the Open Methodology License (OML) and CC Creative Commons 2.5 

* The "Open Methodology License" is *not* an open source license (or an 
open document license for that matter), please read 

* The CC Creative Commons 2.5 with NoDerivs and NonCommercial attached 
to it is *not* an open source license

They are not open source because nobody (besides ISECOM) can:

- make new versions of the OSSTMM
- use OSSTMM for commercial purposes (including packaging it and selling 
it in a book)
- nobody can make commercial software based on the OSSTM (without 
violating the OML)

OSS licenses (See www.opensource.org) do allow commercial use of the 
work and, indeed, is one of the pillars of open source. See the Open 
Source Definition (http://www.opensource.org/docs/definition.php) 

- "1. Free Redistribution"
- "3. Derived Works"

I repeat: something that does not allow for somebody else to profit from 
it (yes, even if he did not contribute) is *not* open source. It is 
"gratis" source (i.e. it's "free" beer but not "free" speech).

In contrast ISAAF documents stricly adhere to the GFDL in their licenses 
and they even gives away their (c) to the Free Software Foundation.

Further proof of ISECOM no longer providing an OSS product is the fact 
that its community has really faded away. The activity on the public 
mailing lists has been fading since the license change and is now 
esentially cero.

ISECOM certainly does not follow the "release early, release often" 
model, and has a tight control of version distributions.  The current 
OSSTMM (2.2) has more or less the same contents as the one released 
three years back (2.0).

esn't it sound strange to you that 3.0 is not yet in a "releasable" 
state and, at the same time, ISECOM has been (since 2004) providing 
"OSSTMM 3.0 Certification classes"? (for OPST and OPSA)

Other projects which have turned "commercial" (which is not a bad thing 
in and of itself) have done it wrong and have taken similar steps to try 
to close access to contents they produce and control the 
commercialisation (sp?) of their work. Eventually, all of them have 
turned into non-open-source projects and the community that started 
helping them out eventually left for greener pastures.

Of course, that's my point of view. I'm biased, and do have an emotional 
standpoint here.

I've made my share of contributions to the OSSTMM, reviewing, providing 
content and translations (for the website and the texts). I even 
contributed a full "XML security module" (for SOAP testing) back in 2002 
which has yet to be made public and I'm pretty sure it's part of the 
contents of 3.0 (promised to be released in 2004). I finally left the 
project when it started taking a route I did not like (and I'm not alone 
in this decission). Neither me nor many other previous contributors are 
credited any longer in recent versions of the manuals even if the text 
we contributed is still (verbatim) there.



PS: Feel free to show me wrong in any of the above statements. Maybe the 
project has taken a different route differently and I've missed it.

More information about the Owasp-testing mailing list