[Owasp-testing] Are the Risk Rating Wiki Pages Broken?

Christian Heinrich christian.heinrich at cmlh.id.au
Wed Aug 28 02:27:36 UTC 2013


On Wed, Aug 28, 2013 at 1:13 AM, Pete Herzog <lists at isecom.org> wrote:
> "If you are interested in helping with this project please contact us."
> But you didn't contact us. We didn't receive a mail that says you are
> interested in reviewing and working with the Web App Draft and so
> nobody could send it to you. I understand that you don't want to pay
> for access but I think you could afford an e-mail to us, right?

I exploited that you deliberately withheld providing me with the
"OSSTMM_Web_App_Draft.pdf" as part of your initial response would have
shown that ISECOM had nothing to hide.

Please don't consider this an invitation to provide this to me now as
I will declare the that I can't confirm in a transparent manner that
your document hasn't subsequently been altered.

On Wed, Aug 28, 2013 at 1:13 AM, Pete Herzog <lists at isecom.org> wrote:
> As for your disdain for Ty Miller in yet another mail, okay, we get
> it, you can find a few links that talk about Telstra but that in no
> way proves the fault of the tester. Your ability to analyze and deduct
> is seriously flawed. Your faulty logic of Telestra -> PureHacking ->
> Ty -> Team Members -> ISECOM leads to "OSSTMM bad" is laughable.

I have "insider" knowledge of this as I employed by Telstra to deliver
Vulnerability Assessment related services to three of the four major
banks and resolving disputes related to Penetration Testing undertaken
by the bank themselves against Telstra.

During this time there was a discussion put forward at a much higher
level for my scope to increase to include the services that "Pure
Hacking" delivered to Telstra due to concerns around their lack of
both quality and talent since I have was well known for exploiting
subtle by high severity vulnerabilities not discovered by "Pure
Hacking" who had performed multiple audits that listed the QA
undertaken by Ty Miller.

As a result of http://www.smh.com.au/it-pro/security-it/telstra-customer-database-exposed-20111209-1on60.html,
this discussion was raised again since I would have tested for this
based since it is reflective of my contribution to the OWASP Testing
Guide and hence would have reflected my high standing within the

In addition and after several complaints against Pure Hacking within
OWASP, starting with
Tom Brennan (OWASP) had also independently sought references from
people well known  who have some association with "Pure Hacking" and
also formed the same conclusion about their lack of webappsec ability.

In future I would suggest that you undertake some more background
research next time (Also Ty Miller left Pure Hacking recently)?

On Wed, Aug 28, 2013 at 1:13 AM, Pete Herzog <lists at isecom.org> wrote:
> And then you end your message with the bit about conflict of interest
> with Mike Menefee/OWASP/ISECOM. Really? In 2 open source
> organizations? Does that mean they need to be open to everyone but
> each other because they are in the same industry? Really? A little
> secret- many many people are in multiple, open organizations and it's
> a good thing because that's how ideas spread and innovation grows.

ISECOM have repeated the "marketing" mistake of Foundstone from 2003
i.e. http://web.archive.org/web/20030801110134/http://www.internalmemos.com/memos/memodetails.php?memo_id=1739

In future you could portray these as a success story for ISECOM and
OWASP while disclosing your conflict of interest too in a positive way
i.e. "... I [Pete] presented at OWASP NC and the Chapter Leader wanted
to contribute to OSSTMM ..."

On Wed, Aug 28, 2013 at 1:13 AM, Pete Herzog <lists at isecom.org> wrote:
> I do appreciate your efforts to bring these things to my attention.
> I'll work on making the contributor thing more transparent so as not
> to lose any more possible volunteers.

If I was you then I would have invited me and all the other critics of
OSSTTM to become listed contributors from the onset of their criticism
against ISECOM?

Christian Heinrich


More information about the Owasp-testing mailing list