[Owasp-testing] Are the Risk Rating Wiki Pages Broken?

Christian Heinrich christian.heinrich at cmlh.id.au
Thu Aug 29 01:36:53 UTC 2013


Pete,

On Wed, Aug 28, 2013 at 8:10 PM, Pete Herzog <pete at isecom.org> wrote:
> Snippy much? As a fellow researcher I am aware when something is under
> development and if it's other research then these things are always in
> some state of development.

CVSSv3 isn't "research", rather its a standard where multiple
stakeholders vote on the inclusion of subject solicited from the
community.  There is no money exchanged.

OSSTMM is a perpetually closed draft created without seek community
(i.e. outside of ISECOM membership) consensus.

On Wed, Aug 28, 2013 at 8:10 PM, Pete Herzog <pete at isecom.org> wrote:
> No matter who contributes, all research is vetted. We don't vet
> people, just what they contribute. As Mike mentioned, there are some
> things we've still debated on list for years.

FIRST had a "Call for Participants" and their selection was
vetted/approved by the FIRST Board.

ISECOM have to accept anyone because there is no value in being
associated with your brand and therefore no competition for placement.
 I would welcome ISECOM to host a similar "Call for Participants" in
order to prove this statement incorrect?

On Wed, Aug 28, 2013 at 8:10 PM, Pete Herzog <pete at isecom.org> wrote:
> companies who did non sec work, like an e-mail implementation at
> well-known company XYZ, to say XYZ was a past client. There is a lot
> of lies and fraud in the pen test industry claiming to have done
> things they haven't. It also prevented breaks in NDA. What was allowed
> was for the companies themselves to give recommendations. We were just
> trying to get at more accurate referrals. Again, a recommendation and
> not a requirement.

I would be interest to know then as to why "Pure Hacking", who
contribute to OSSTMM and subsequently claim to adhere to the OSSTMM,
and are well known to deliver poor and incomplete testing i.e.
http://www.smh.com.au/it-pro/security-it/telstra-customer-database-exposed-20111209-1on60.html
have continued to be allow to contribute to the OSSTMM in light of the
above statement then?

>> On Wed, Aug 28, 2013 at 1:13 AM, Pete Herzog <pete at isecom.org> wrote:
> It wasn't meant to. Of course we do need to earn money to continue our
> research. We have some very large, costly projects that bring
> absolutely zero return financially, like Hacker Highschool. But I
> wouldn't say we're trying to "extract as much revenue" because there
> are many things we don't do.

In light of http://aussieinnovation.com/directory/243, my reply is
based on the two posts to Pastebin within
http://seclists.org/fulldisclosure/2013/Mar/204 and the subsequent
tweets of https://twitter.com/hacklabsjody

http://www.flickr.com/photos/[email protected]/3286383607/ is the
relationship to "Pure Hacking"

>> On Wed, Aug 28, 2013 at 1:13 AM, Pete Herzog <pete at isecom.org> wrote:
> Based on what research? 4 tweets and a blog? I'd love to see your
> research. Don't bother if it's informal. I have actual numbers that
> show it's not. We shifted as we came to understanding about the
> inadequacies of pen testing and vuln scanning as well as many of the
> ways security has been "productized". That lost us people in those
> areas, like you apparently, but it gained us much more in other areas.
> It wasn't our intention. We just followed the facts of the research
> and adjusted the methodology accordingly.

http://www.pentest-standard.org/ was created due to the lack of
technical direction and lack of vigor required for the OSSTMM.

I am fairly well known for developing my own webappsec exploits.
However, I have provided an independent opinion on Pure Hacking
deliverables for companies in the past and these findings has included
the identification of the webappsec product and the level of vigor was
identified was that of the lowest level i.e. automation only i.e. Pure
Hacking has listed a number of false positives as filler and padding
of their deliverable.

>> On Wed, Aug 28, 2013 at 1:13 AM, Pete Herzog <pete at isecom.org> wrote:
> Anecdotal evidence. Doesn't help.

This isn't anecdotal evidence if the same conclusion is drawn by
multiple experts (i.e. those who are peer reviewed) about "Pure
Hacking"

>> On Wed, Aug 28, 2013 at 1:13 AM, Pete Herzog <pete at isecom.org> wrote:
> Many many people talk to Kevin. And as far as I can tell, he's no
> longer a convicted criminal unless he just went back to jail....

A convicted criminal is someone who has been convicted of a crime i.e.
http://en.wikipedia.org/wiki/Kevin_Mitnick#Arrest.2C_conviction.2C_and_incarceration

>> On Wed, Aug 28, 2013 at 1:13 AM, Pete Herzog <pete at isecom.org> wrote:
> I'm sure. After how many years? I won't hold my breath.

The ulterior motive the recent offer to contribute to OSSTMM is based
on the likelihood that it will be refused since politically I can
claim that I tried to contribute but your pride prohibited me.

>> On Wed, Aug 28, 2013 at 1:13 AM, Pete Herzog <pete at isecom.org> wrote:
> Again, there are many variables. And all you can provide is anecdotal
> and indirect evidence.

Please refer to the dispute above related to your use of the term
"anecdotal evidence" which would incorporate "indirect evidence" too.

>> On Wed, Aug 28, 2013 at 1:13 AM, Pete Herzog <pete at isecom.org> wrote:
> Again, what I'm interested in is ideas and contributions from Ty. We
> get contributions from everywhere and I'm not going to discount good
> work because other people don't like the way a certain person behaves
> professionally. And all this coming from you who was against the
> "ethics" in the OSSTMM!

I have addressed this already above too.

>> On Wed, Aug 28, 2013 at 1:13 AM, Pete Herzog <pete at isecom.org> wrote:
> Okay, well, at ISECOM we don't advocate patching except for features
> and under change control procedures. Therefore we don't see the need
> for CVSS. We prioritize security remediation by operation and not risk.

The Confidentiality, Integrity and Availability vector of the Base
Metric of CVSS have no relationship to the risk defined within ISO
31000.

I would assume CIA defined within CVSS is more relevant to how you
defined them too.

>> On Wed, Aug 28, 2013 at 1:13 AM, Pete Herzog <pete at isecom.org> wrote:
> Do those scientists make open all their work while they're working on
> it? No. Just their team sees it. We also publish for free.

Scientific research is peered reviewed by those outside of their team.
 "peer review" by the larger security community isn't engaged by
ISECOM.

>> On Wed, Aug 28, 2013 at 1:13 AM, Pete Herzog <pete at isecom.org> wrote:
> Yes, and we were wrong. We followed research from the industry and it
> mislead us until we figured out that security was impossible that way.
> So we took 7 years to restart our research from the ground up and came
> out with OSSTMM 3. All stuff I've said publicly.

If ISECOM had created a new "brand" based on a fork of OSSTMM (which
would also be deprecated) then I don't believe you would continue to
experience the same level of resistance today.

>> On Wed, Aug 28, 2013 at 1:13 AM, Pete Herzog <pete at isecom.org> wrote:
> Again, it's free for anyone to join and contribute to the team and you
> have access.

Please refer to my public request to contribute.

>> On Wed, Aug 28, 2013 at 1:13 AM, Pete Herzog <pete at isecom.org> wrote:
> But it's still just opinions. I can go online and find 3 twitter posts
> and a blog post that says smoking is good but that doesn't make it true.

I don't believe these blog posts exist and if they did it would be in
reference to the harm reduction in smoking a regulated product as
opposed to those manufactured by illicit trade.

>> On Wed, Aug 28, 2013 at 1:13 AM, Pete Herzog <pete at isecom.org> wrote:
> Yes, and he didn't mention OSSTMM. Choosing something is a preference
> and an opinion.

I have addressed this with the reference to PTES above.

>> On Wed, Aug 28, 2013 at 1:13 AM, Pete Herzog <pete at isecom.org> wrote:
> I hope at least that you learn from our exchange is that things change
> and evolve and you shouldn't be dismissive of things because you
> didn't like the old version. I mean, you did support a new version of
> CVSS despite version 1 being pretty bad.

I did support CVSSv1 based on my prior knowledge of Mike Schiffman's
other research in low level network packet manipulation i.e.
http://www.first.org/cvss/v1#c8

>> On Wed, Aug 28, 2013 at 1:13 AM, Pete Herzog <pete at isecom.org> wrote:
> Let's take this exchange offline from here on out.

You should have done this in the first instance since this thread has
no relevance to the OWASP Testing Guide.


-- 
Regards,
Christian Heinrich

http://cmlh.id.au/contact


More information about the Owasp-testing mailing list