[Owasp-testing] Are the Risk Rating Wiki Pages Broken?

Christian Heinrich christian.heinrich at cmlh.id.au
Tue Aug 27 05:18:20 UTC 2013


I addressed a similar e-mail at
but  I figured I would take you up on your offer and see if
was within the OSSTMM_Web_App_Draft.pdf and here are the steps below:

1. Upon clicking
https://www.isecom.org/silverteam/OSSTMM_Web_App_Draft.pdf I was
redirected to https://www.isecom.org/members/plugins/protect/new_rewrite/login.php?v=-1,2,13,7,14,5&url=/silverteam/OSSTMM_Web_App_Draft.pdf

2. I clicked "Signup here" i.e. "Not registered yet? Signup here"

3. Silver Registration is listed as $99 USD on

Therefore, since I refuse to pay and your recent offer was to provide
me this free of charge I can only conclude that
is not part of OSSTMM_Web_App_Draft.pdf  since after Telstra had
assured the public that it would never happen again i.e.
and after extensive audits where undertaken by I assume
http://www.purehacking.com/about-us/our-team, who "... are regular
contributors the Open Source Security Testing Methodology Manual
(OSSTMM), certified Trainers of Penetration Testing Professionals of
OSSTMM, ..."  http://www.smh.com.au/it-pro/security-it/oops-google-search-reveals-private-telstra-customer-data-20130516-2jnmw.html
occurred almost 1.5 years later or almost five years after the
publication of the OWASP Testing Guide v3.

Also, http://www.wireheadsecurity.com/owasp-nc-october-2010-with-pete-herzog-from-isecom
-> http://www.meetup.com/owaspnc/events/14603102/ ->
http://www.isecom.org/team.html shows the conflict of interest of
OWASP NC Chapter and ISECOM.

On Tue, Aug 27, 2013 at 8:38 AM, Pete Herzog <lists at isecom.org> wrote:
> Hi Christian,
> I'm aware of your work on CVSSv3 from your posts on the DailyDave
> list. As far as I can tell it's not done yet or there's no further
> development except what's posted here:
> http://www.first.org/cvss/v3/development
> There doesn't seem to be a public link. So it seems to be a closed
> development group as I couldn't easily see how I could get a copy of
> of cvssv3 to read. It's just not developed in a transparent manner.
> Then again maybe that's all perspective.
> OSSTMM is also developed by a team of volunteers and to gain access to
> the development you need to help work on it or financially support
> development. When it's done we publish it for free as Open Source as
> we have 8 other times before this coming version 4. It helps us keep
> the project alive as well as keeping people from using an unfinished
> version and being unsatisfied, never to return again even once it's
> been improved. More than unsatisfied, the importance of security
> testing and measurements is so vital to many organizations that we
> need to be REALLY sure they know what is experimental and what isn't
> so as not to aide in someone screwing up a test for following an
> incomplete instruction set. And the team/subscriber hoop people need
> to jump through solves that problem.
> There's a lot of way to do open source and there's a lot of ways to
> provide transparency. We do it through our teams and our lists as they
> also suggest here:
> http://opensource.com/life/13/7/10-secrets-open-source-communities
> If you wanted to see and try the OSSTMM web app testing in development
> you could have let us know and done some review for us or at least
> give feedback if you were going to read it anyway. But you didn't
> contact anyone in the team and you didn't ask for a copy anywhere I
> can see. Just like I didn't with CVSSv3 when I didn't find it right
> away. But I didn't call it closed source or not transparent. It is
> what it is and if I think I need it, I'll ask. Just like many students
> using OSSTMM in there thesis ask us for a copy of the latest stuff and
> we give it to them because they give back by applying our stuff in
> real and new ways.
> By the way, we did introduce the document within OWASP at a public
> meeting to get feedback from web developers and testers:
> http://seclists.org/webappsec/2010/q3/49
> Sorry if this escaped your notice. But we do them every once in a
> while so maybe you can catch the next somewhere, even on your continent.
> And by the way, I'm all for an OWASP Risk Rating. I think risk ratings
> are quite personal so they offer an interesting perspective based on
> the concerns of the organization developing them. They expand the
> thought field of security and help people frame what's important to
> them in the realm of that metric. With a field as big and imprecise as
> security we need all the new ideas we can get.
> Sincerely,
> -pete.
> --
> Pete Herzog - Managing Director - pete at isecom.org
> ISECOM - Institute for Security and Open Methodologies
> www.isecom.org - www.osstmm.org
> www.hackerhighschool.org - www.badpeopleproject.org
> On Thu, Aug 22, 2013 at 10:14 PM, rick.mitchell at bell.ca
> <rick.mitchell at bell.ca> wrote:
>> We should also keep in mind that work has been done in adapting the
> OSSTMM and its metrics for use in web app assessments.
>> http://seclists.org/webappsec/2010/q3/49
>> https://twitter.com/isecom/statuses/167973076301135872
> OSSTMM is *not* developed in a transparent manner (i.e. closed source)
> and this is demonstrated by
> https://twitter.com/isecom/statuses/167973076301135872 i.e. there is
> not public link within this tweet.
> Furthermore, there are no web application security related published
> bodies of work from http://www.isecom.org/team.html that are published
> outside of ISECOM that I am aware of (I would welcome references that
> prove this assumption is incorrect).
> On Thu, Aug 22, 2013 at 10:14 PM, rick.mitchell at bell.ca
> <rick.mitchell at bell.ca> wrote:
>> Anyway, while that's still up in the air I'd like to do something
> with the existing wiki. Even if that is only to reverse the previous
> edit which sparked this thread. I'm was just really hoping that a few
> people would chime in with black or white (agreement or disagreement)
> on the topic.
> I can't agree that this would be a good use of your time due to the
> imminent  release of CVSSv3 vs your expect outcome for the OWASP Risk
> Rating Methodology.  Rather, it is more advantageous for OWASP to
> deprecate this as other bodies of work related to risk management have
> improved significantly overtime with multiple releases.
> --
> Regards,
> Christian Heinrich
> http://cmlh.id.au/contact
> --
> Pete Herzog - Managing Director - pete at isecom.org
> ISECOM - Institute for Security and Open Methodologies
> www.isecom.org - www.osstmm.org
> www.hackerhighschool.org - www.badpeopleproject.org
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing

Christian Heinrich


More information about the Owasp-testing mailing list