[Owasp-testing] Are the Risk Rating Wiki Pages Broken?

Pete Herzog lists at isecom.org
Tue Aug 27 15:13:55 UTC 2013

Hi again Christian,

Sorry for the lack of transparency. Here you go:


"We provide our research here openly for all to learn with us. All
projects are open for involvement or further study. Your involvement
assures each project gets reviewed from within new constraints, a new
perspective, and a new mind. So do contact us with your comments,
criticisms, doubts, or if you want to help further a project along."

And from OSSTMM.org:

"If you are interested in helping with this project please contact us."

But you didn't contact us. We didn't receive a mail that says you are
interested in reviewing and working with the Web App Draft and so
nobody could send it to you. I understand that you don't want to pay
for access but I think you could afford an e-mail to us, right?

As for your disdain for Ty Miller in yet another mail, okay, we get
it, you can find a few links that talk about Telstra but that in no
way proves the fault of the tester. Your ability to analyze and deduct
is seriously flawed. Your faulty logic of Telestra -> PureHacking ->
Ty -> Team Members -> ISECOM leads to "OSSTMM bad" is laughable.

And then you end your message with the bit about conflict of interest
with Mike Menefee/OWASP/ISECOM. Really? In 2 open source
organizations? Does that mean they need to be open to everyone but
each other because they are in the same industry? Really? A little
secret- many many people are in multiple, open organizations and it's
a good thing because that's how ideas spread and innovation grows.

I do appreciate your efforts to bring these things to my attention.
I'll work on making the contributor thing more transparent so as not
to lose any more possible volunteers.


On 8/27/2013 7:18 AM, Christian Heinrich wrote:
> I addressed a similar e-mail at
> http://lists.owasp.org/pipermail/owasp-testing/2013-August/002211.html
> but  I figured I would take you up on your offer and see if
> https://www.owasp.org/index.php/Testing:_Spiders,_Robots,_and_Crawlers_(OWASP-IG-001)
> was within the OSSTMM_Web_App_Draft.pdf and here are the steps below:
> 1. Upon clicking
> https://www.isecom.org/silverteam/OSSTMM_Web_App_Draft.pdf I was
> redirected to https://www.isecom.org/members/plugins/protect/new_rewrite/login.php?v=-1,2,13,7,14,5&url=/silverteam/OSSTMM_Web_App_Draft.pdf
> 2. I clicked "Signup here" i.e. "Not registered yet? Signup here"
> 3. Silver Registration is listed as $99 USD on
> https://www.isecom.org/members/signup.php
> Therefore, since I refuse to pay and your recent offer was to provide
> me this free of charge I can only conclude that
> https://www.owasp.org/index.php/Testing:_Spiders,_Robots,_and_Crawlers_(OWASP-IG-001)
> is not part of OSSTMM_Web_App_Draft.pdf  since after Telstra had
> assured the public that it would never happen again i.e.
> http://conference.auscert.org.au/conf2012/speaker_Scott_McIntyre.html
> and after extensive audits where undertaken by I assume
> http://www.purehacking.com/about-us/our-team, who "... are regular
> contributors the Open Source Security Testing Methodology Manual
> (OSSTMM), certified Trainers of Penetration Testing Professionals of
> OSSTMM, ..."  http://www.smh.com.au/it-pro/security-it/oops-google-search-reveals-private-telstra-customer-data-20130516-2jnmw.html
> occurred almost 1.5 years later or almost five years after the
> publication of the OWASP Testing Guide v3.
> Also, http://www.wireheadsecurity.com/owasp-nc-october-2010-with-pete-herzog-from-isecom
> -> http://www.meetup.com/owaspnc/events/14603102/ ->
> http://www.isecom.org/team.html shows the conflict of interest of
> OWASP NC Chapter and ISECOM.

More information about the Owasp-testing mailing list