[Owasp-testing] Are the Risk Rating Wiki Pages Broken?

Pete Herzog lists at isecom.org
Thu Sep 5 14:31:15 UTC 2013


Christian,

This isn't a court so stop. Your evidence is not something I can
confirm nor cross-examine. And you don't attack the Medical School if
a doctor is reportedly performing malpractice. Whatever your grievance
with Pure Hacking it's not the fault of us or the OSSTMM but how they
did their business in a particular instance. PH hasn't been an ISECOM
partner for many years so again, not sure why you're coming at us.
What I can do is take your complaint and address PH with it. That's
what we do when a group claims to use the OSSTMM a particular way and
another party thinks it's not true. And I'll do that. Thanks for your
note and next time don't wait almost 4 years to let us know of an
alleged incident so we can address it in a timely manner.

As for your robots.txt stuff:

OSSTMM 3

11.4.2
(c) Examine target web-based application source code and scripts to
determine the existence of additional targets in the network.

11.6.3
(a) Test the depth of access to business or confidential information
available on web servers without any established, required credentials.


OSSTMM 2

In the sec-testing template, there is the following:

Web Page Date Last Modified
Web Links Internal
Web Site Searchability
Web Links External


So while we don't call it what you call it, we do expect it to be
reviewed along with other important information.

Sincerely,
-pete.



On 8/29/2013 3:49 AM, Christian Heinrich wrote:
> Pete,
> 
> On Wed, Aug 28, 2013 at 7:22 PM, Pete Herzog <lists at isecom.org> wrote:
>> The Robots thing has been in the OSSTMM since version 1. So it is in
>> the OSSTMM App Sec methodology. But thanks. I'll look into the other
>> things you sent but I won't be able to answer by Sept 3. I will get to
>> you as soon as possible.
> 
> If this is the case then Ty (or "Pure Hacking) are more than welcome
> to provide the reason for this perceived deficiency in their delivery
> of the OSSTMM prior to December 2011 i.e.
> http://www.smh.com.au/it-pro/security-it/telstra-customer-database-exposed-20111209-1on60.html
> and their continued failure after [I assume] "Pure Hacking" to correct
> this deficiency in their continued application of the OSSTMM from
> December 2011 through to May 2013 i.e.
> http://www.smh.com.au/it-pro/security-it/oops-google-search-reveals-private-telstra-customer-data-20130516-2jnmw.html
> 
> Also, can you send the relevant quote from the OSSTMM (a release which
> is available to the public without a paid subscription) to me so I can
> include a reference to it within the
> https://www.owasp.org/index.php/Testing:_Spiders,_Robots,_and_Crawlers_(OWASP-IG-001)
>  please?
> 
> 

-- 
Pete Herzog - Managing Director - pete at isecom.org
ISECOM - Institute for Security and Open Methodologies
www.isecom.org - www.osstmm.org
www.hackerhighschool.org - www.badpeopleproject.org


More information about the Owasp-testing mailing list