[Owasp-testing] OSSTMM manual

Pete Herzog pete at isecom.org
Tue Jan 23 04:33:38 EST 2007


Hi,

The image is over-simplified.  There are applications for services that are 
not on the web: ie, for finger, dns, ldap, smtp, pop, etc. for which the 
OSSTMM does have tests for.  It should say "web applications" right?

-pete.

-- 
Pete Herzog - Managing Director - pete at isecom.org
ISECOM - Institute for Security and Open Methodologies
www.isecom.org - www.osstmm.org
www.hackerhighschool.org - www.isestorm.org
-------------------------------------------------------------------
ISECOM is the OSSTMM Professional Security Tester (OPST),
OSSTMM Professional Security Analyst (OPSA), and Hacker Highschool
Teacher certification authority.

Dinis Cruz wrote:
> That image is actually a good one, can you put a variation of it on the 
> guide?
> 
> It also shows exactly why there should some references to the OSSTMM in 
> the Guide
> 
> Dinis
> 
> On 1/19/07, *Matteo Meucci* <matteo.meucci at gmail.com 
> <mailto:matteo.meucci at gmail.com>> wrote:
> 
>     Hi,
>     IMHO:
> 
>     1) OWASP and OSSTMM are complementary: the first focuses on Web
>     Application Security, the second focuses on System and Network
>     Security.
>     I agree with Eoin, the Testing Guide is more practical.
>     As you can see in the attachment (I don't know if that will be
>     eliminated by the mail server), Raoul Chiesa and I talked about that
>     at the IDC Banking Forum 2005.
> 
>     2) OSSTMM cites OWASP in their methodology for the Web Application
>     Security field because it doesn't go deeply into this argument.
> 
>     3) ISSAF is similar to our Testing Guide, but once again this is not
>     totally focused on Web Application Security and the approach is
>     different.
>     http://www.oissg.org/component/option,com_docman/task,cat_view/gid,66/Itemid,134/
> 
>     4) Testing Guide Version 2.1
>     As PDP has suggested me, I'd like to create a new chapter on Client
>     side Testing: flash, java, ecc...nowadays Web 2.0 moves a part of the
>     application on the client side.
> 
>     Mat
> 
> 
> 
> 
>     On 1/19/07, Jeff Williams < jeff.williams at aspectsecurity.com
>     <mailto:jeff.williams at aspectsecurity.com>> wrote:
>      > > [1] Previous versions of the OWASP documents used the
>      > > GFDL license. I've never seen the reasoning behind the license
>     change.
>      > > Anyone care to point me to it?
>      >
>      > The CC Attribution Share-Alike
>     (http://creativecommons.org/licenses/by-sa/2.5/) was designed by
>     Lawrence Lessig precisely for wiki content.  The basic idea is that
>     you can reference the material to the licensor without having to
>     attribute back to all of the original authors (which could be very
>     difficult).
>      >
>      > It suits our work at OWASP very well. The GFDL is large and
>     complex and wasn't really designed for a wiki (see
>     http://www.usemod.com/cgi-bin/mb.pl?FreeDocumentationLicense
>     <http://www.usemod.com/cgi-bin/mb.pl?FreeDocumentationLicense>).
>      >
>      > --Jeff
>      >
>      > _______________________________________________
>      > Owasp-testing mailing list
>      > Owasp-testing at lists.owasp.org <mailto:Owasp-testing at lists.owasp.org>
>      > http://lists.owasp.org/mailman/listinfo/owasp-testing
>      >
> 
> 
>     --
>     Matteo Meucci
>     OWASP-Italy Chair, CISSP, CISA
>     http://www.owasp.org/index.php/Italy
>     OWASP Testing Guide AoC lead
>     http://www.owasp.org/index.php/Testing_Guide
> 
> 
>     _______________________________________________
>     Owasp-testing mailing list
>     Owasp-testing at lists.owasp.org <mailto:Owasp-testing at lists.owasp.org>
>     http://lists.owasp.org/mailman/listinfo/owasp-testing
>     <http://lists.owasp.org/mailman/listinfo/owasp-testing>
> 
> 
> 
> 
> 


More information about the Owasp-testing mailing list