[Owasp-testing] Are the Risk Rating Wiki Pages Broken?

Christian Heinrich christian.heinrich at cmlh.id.au
Wed Aug 28 05:24:05 UTC 2013


Based on what you have stated I am willing to reconsider OSSTMM so to
move forward how about this:

1.  I'll contribute
to the OSSTMM_Web_App_Draft.pdf since this will resolve the
correlation of http://www.smh.com.au/it-pro/security-it/telstra-customer-database-exposed-20111209-1on60.html
2.  I'll report back to OWASP on my experience with ISECOM.
3.  If my experience with ISECOM is also positive (based on your own
observations) then I'll correlate the OWASP Testing Guide v4 to OSSTMM
Web Application Methodology

If you are after examples of 3. above then it would be similar to the
comparison of the OWASP Top Ten and MITRE/SANS Top 25 I have produced
in the past, i.e. https://github.com/cmlh/OWASP-Top-Ten-2013 and
https://github.com/cmlh/Top-25 respectively , but on much larger in

I believe this is a win win for both OWASP and ISECOM and please let
me know off list if ISECOM would like to suggest consideration of a
reasonable alternative or develop additional items to those above?

Can we aim to finalise this by next Tuesday morning (3 September) to
allow for ISECOM to discuss this internally too?

On Wed, Aug 28, 2013 at 2:48 PM, Michael Menefee
<mmenefee at wireheadsecurity.com> wrote:
> Hi Christian,
> I realize that I was only included in this discussion as Pete thought it
> appropriate to include those of "us" that you had named specifically in one
> of your initial responses, but -if I may- I would like to provide some
> insight from a former ISECOM-hater, now team member, and absolute advocate
> of the ISECOM mentality.
> I recognize that you have been in the IT/Security industry for a while, and
> it can be frustrating to not get an initial response that you expect when
> you are interested in getting involved with something, and would like
> immediate results.
> Below is my story, for what it's worth.
> In 2004 or so I had contacted Pete about getting involved with ISECOM and
> furthering the ISECOM/OSSTMM mentality. Truth be told, I was only interested
> in how it could financially benefit my business and me personally -- I
> wasn't so much interested in actually contributing. I think it was probably
> apparent to Pete and the Team that my motivations were less than global, and
> certainly selfish. (I'm not implying that your situation is similar, but I
> do recall having a similar exchange via email with Pete at the time)
> So, I didn't get the response I wanted. I got mad, because I had to find
> another way to get some free way to help my business by aligning myself with
> someone else / some other organization.
> I don't make this next statement as a reflection on the organization in
> question, but I turned to OWASP and started the North Carolina chapter,
> because OWASP was setup to encourage easy entry. The NC chapter operated
> independently from OWASP as a whole, we received ZERO support from OWASP and
> basically were just pretending to be part of OWASP. In retrospect, if you're
> not at the core of that organization, you're not really involved. You give
> and give and give and get nothing in return, which is not sustainable in any
> capitalist or socialist society. Imagine my surprise that I did not receive
> fame or fortune from that experience, regardless of how hard I tried to make
> a local impact under that banner.
> So, 2010 rolls around after 15 years of providing consulting services to my
> clients and I finally just came to the conclusion that no matter what method
> I used, no matter what organization I was associated with, no matter what I
> told them, no matter how many ways I hacked them, showed them how they were
> vulnerable, etc: nothing was accomplished. Nothing got solved.
> Vulnerabilities persisted, new buzzwords were created, more FUD and less
> security happened.
> Depressing to say the least, when you devote your career to the "Infosec"
> world....
> At the time, I owned Infosecisland.com and ISECOM wanted to post an article
> about the upcoming OSSTMM release, and I got a chance to take a look at it
> again. I immediately remembered why I was initially interested in it...more
> like science, less like bullshit..something I might be able to use to help
> my clients over the long-term.
> There wad a real measurable and repeatable process. Something that if was
> documented properly, no matter who came behind me and performed another
> "audit" or "assessment" or "pen test", they would have the basis for my
> assumptions, findings and recommendations, and could in-turn measure change
> (for better or worse) in the actual security posture of any organization,
> institution or individual.
> So, we adopted it, found immediate positive response from multiple levels
> within our client's organizations and really got behind it. The clients that
> got on-board with it and have persisted with it since are better off. Those
> that used it once and checked it off their list of things to do that year
> are no better than they were before. That's their decision, but at least
> they have a basis for their decision to ignore or avoid the results and
> recommendations that came out of it.
> No assessment or evaluation method guarantees security. It's ultimately up
> to the business to make their own decision regardless of how it's presented
> to them.
> OK, so a long story, I know, but I wish I could dig up my email thread with
> Pete back in 2004, but it's water under the bridge. My clients are better
> off for me having had that argument then, and getting involved since, and
> that's the point.
> ISECOM is a very open organization involving many talented people across the
> globe, but unlike other organizations in this space, there is some
> bullshit-meter/qualification processes that happens before everyone just
> gets full access and unrestricted input into anything. We really spend a lot
> of time and energy on the principles we promote, but dont have an open
> thread for everyone to throw in their input and expect it to become part of
> the methodology.
> As an example, we have internally had a topic of debate for more than 2
> years regarding how to measure Trust and we are just now coming to a level
> of agreement on some of the areas of contention surrounding 2 properties and
> how to assign weight to them in terms of a forumula. It takes real debate
> and real time and experience to use certain methods and technologies before
> they can be vetted and agreed upon (even by a small group), and that's what
> ISECOM is devoted to. It's not ideal for everyone, but I believe it's the
> right approach.
> I would encourage you to re-consider your decision to write us off, cause
> there really is a lot to be gained personally and a lot of room to
> contribute. I think that most of us on this list have been there more than
> once. Pete and the core team work very hard to further the research in this
> space. It's hard to respond to every request, but you're on the radar now,
> and we invite further constructive discussion, and welcome your input and
> review.
> Life's too short and the world is too small. Conversation and debate are
> mostly free.
> Cheers man!
> Mike
> On 8/27/13 10:27 PM, Christian Heinrich wrote:
>> Pete,
>> On Wed, Aug 28, 2013 at 1:13 AM, Pete Herzog <lists at isecom.org> wrote:
>>> "If you are interested in helping with this project please contact us."
>>> But you didn't contact us. We didn't receive a mail that says you are
>>> interested in reviewing and working with the Web App Draft and so
>>> nobody could send it to you. I understand that you don't want to pay
>>> for access but I think you could afford an e-mail to us, right?
>> I exploited that you deliberately withheld providing me with the
>> "OSSTMM_Web_App_Draft.pdf" as part of your initial response would have
>> shown that ISECOM had nothing to hide.
>> Please don't consider this an invitation to provide this to me now as
>> I will declare the that I can't confirm in a transparent manner that
>> your document hasn't subsequently been altered.
>> On Wed, Aug 28, 2013 at 1:13 AM, Pete Herzog <lists at isecom.org> wrote:
>>> As for your disdain for Ty Miller in yet another mail, okay, we get
>>> it, you can find a few links that talk about Telstra but that in no
>>> way proves the fault of the tester. Your ability to analyze and deduct
>>> is seriously flawed. Your faulty logic of Telestra -> PureHacking ->
>>> Ty -> Team Members -> ISECOM leads to "OSSTMM bad" is laughable.
>> I have "insider" knowledge of this as I employed by Telstra to deliver
>> Vulnerability Assessment related services to three of the four major
>> banks and resolving disputes related to Penetration Testing undertaken
>> by the bank themselves against Telstra.
>> During this time there was a discussion put forward at a much higher
>> level for my scope to increase to include the services that "Pure
>> Hacking" delivered to Telstra due to concerns around their lack of
>> both quality and talent since I have was well known for exploiting
>> subtle by high severity vulnerabilities not discovered by "Pure
>> Hacking" who had performed multiple audits that listed the QA
>> undertaken by Ty Miller.
>> As a result of
>> http://www.smh.com.au/it-pro/security-it/telstra-customer-database-exposed-20111209-1on60.html,
>> this discussion was raised again since I would have tested for this
>> based since it is reflective of my contribution to the OWASP Testing
>> Guide and hence would have reflected my high standing within the
>> industry.
>> In addition and after several complaints against Pure Hacking within
>> OWASP, starting with
>> http://lists.owasp.org/pipermail/owasp-board/2006-November/005317.html,
>> Tom Brennan (OWASP) had also independently sought references from
>> people well known  who have some association with "Pure Hacking" and
>> also formed the same conclusion about their lack of webappsec ability.
>> In future I would suggest that you undertake some more background
>> research next time (Also Ty Miller left Pure Hacking recently)?
>> On Wed, Aug 28, 2013 at 1:13 AM, Pete Herzog <lists at isecom.org> wrote:
>>> And then you end your message with the bit about conflict of interest
>>> with Mike Menefee/OWASP/ISECOM. Really? In 2 open source
>>> organizations? Does that mean they need to be open to everyone but
>>> each other because they are in the same industry? Really? A little
>>> secret- many many people are in multiple, open organizations and it's
>>> a good thing because that's how ideas spread and innovation grows.
>> ISECOM have repeated the "marketing" mistake of Foundstone from 2003
>> i.e.
>> http://web.archive.org/web/20030801110134/http://www.internalmemos.com/memos/memodetails.php?memo_id=1739
>> In future you could portray these as a success story for ISECOM and
>> OWASP while disclosing your conflict of interest too in a positive way
>> i.e. "... I [Pete] presented at OWASP NC and the Chapter Leader wanted
>> to contribute to OSSTMM ..."
>> On Wed, Aug 28, 2013 at 1:13 AM, Pete Herzog <lists at isecom.org> wrote:
>>> I do appreciate your efforts to bring these things to my attention.
>>> I'll work on making the contributor thing more transparent so as not
>>> to lose any more possible volunteers.
>> If I was you then I would have invited me and all the other critics of
>> OSSTTM to become listed contributors from the onset of their criticism
>> against ISECOM?

Christian Heinrich


More information about the Owasp-testing mailing list