[Owasp-testing] Are the Risk Rating Wiki Pages Broken?

Eoin Keary eoin.keary at owasp.org
Sun Sep 8 11:15:13 UTC 2013


Hi guys,
Can we take the testing guide list off this thread. We have a governance list.
Thanks.


Eoin Keary
Owasp Global Board
+353 87 977 2988


On 8 Sep 2013, at 08:42, Christian Heinrich <christian.heinrich at cmlh.id.au> wrote:

> Pete,
> 
> On Fri, Sep 6, 2013 at 12:31 AM, Pete Herzog <lists at isecom.org> wrote:
>> This isn't a court so stop. Your evidence is not something I can
>> confirm nor cross-examine. And you don't attack the Medical School if
>> a doctor is reportedly performing malpractice. Whatever your grievance
>> with Pure Hacking it's not the fault of us or the OSSTMM but how they
>> did their business in a particular instance. PH hasn't been an ISECOM
>> partner for many years so again, not sure why you're coming at us.
>> What I can do is take your complaint and address PH with it. That's
>> what we do when a group claims to use the OSSTMM a particular way and
>> another party thinks it's not true. And I'll do that. Thanks for your
>> note and next time don't wait almost 4 years to let us know of an
>> alleged incident so we can address it in a timely manner.
> 
> In reference to the breach being "almost 4 years" ago:
> - The most recent breach is dated May 2013 i.e.
> http://www.smh.com.au/it-pro/security-it/oops-google-search-reveals-private-telstra-customer-data-20130516-2jnmw.html.
> - Pure Hacking where teaching ISECOM courseware over five years (in
> 2006) before the initial breach in December 2011 i.e.
> http://www.zdnet.com/accredited-open-source-anti-hacking-course-launches-1139263109/
> 
> I can confirm that Pure Hacking requested the modification of the news
> article published by Fairfax.  You can also observe a similar
> behaviour when Ty Miller refused to be quoted again within
> http://www.zdnet.com/thomsons-phone-clone-claims-uncertain-1339338352/
> when his initial quote by SMH was challenged.
> 
> This is not hearsay based on these quotes (as of Friday 6 September
> 2013 after 5:15PM (AEST):
> 1. http://www.purehacking.com/about-us/our-team - "Staff members are
> regular contributors the Open Source Security Testing Methodology
> Manual (OSSTMM), certified Trainers of Penetration Testing
> Professionals of OSSTMM,"
> 2. http://www.purehacking.com/news/afd-technical-details - a number of
> quotes about "OSSTMM's
>  requirement for detecting active filtering such as IDP or IPS".
> 3.https://www.purehacking.com/news/active-filter-detection - "As an
> OSSTMM auditor Pure Hacking"
> 
> Your analogy hasn't considered that Ty (and Pure Hacking) are listed
> by ISECOM as a contributor to the OSSTMM and are therefore held to a
> higher standard in their implementation of the OSSTMM.
> 
> Ty Miller left Pure Hacking in May 2013 according to
> http://au.linkedin.com/pub/ty-miller/16/a45/963 so I am not sure how
> you concluded that PH are not at least a "recent" partner of ISECOM.
> I believe Ty Miller is aware of this thread based on his recent
> recorded visit to http://www.linkedin.com/in/ChristianHeinrich
> 
> The easiest course of action would be for ISECOM to issue a press
> release clarifying Pure Hacking partnership with ISECOM and OSSTMM
> rather than approaching Telstra and/or Pure Hacking to release the
> related artifacts
> 
> If what ISECOM allege about Pure Hacking's partnership is true than
> this won't be their first time that Pure Hacking have been found
> guilty of brand abuse i.e.
> http://lists.owasp.org/pipermail/owasp-board/2006-November/005317.html
> 
> On Fri, Sep 6, 2013 at 12:31 AM, Pete Herzog <lists at isecom.org> wrote:
>> As for your robots.txt stuff:
>> 
>> OSSTMM 3
>> 
>> 11.4.2
>> (c) Examine target web-based application source code and scripts to
>> determine the existence of additional targets in the network.
>> 
>> 11.6.3
>> (a) Test the depth of access to business or confidential information
>> available on web servers without any established, required credentials.
>> 
>> 
>> OSSTMM 2
>> 
>> In the sec-testing template, there is the following:
>> 
>> Web Page Date Last Modified
>> Web Links Internal
>> Web Site Searchability
>> Web Links External
>> 
>> 
>> So while we don't call it what you call it, we do expect it to be
>> reviewed along with other important information.
> 
> OSSTMM v2 was released almost a decade before December 2011 i.e.
> http://www.zdnet.com/accredited-open-source-anti-hacking-course-launches-1139263109/
> 
> I'll add 11.4.2 and 11.6.3 from OSSTMM v3 as references (where
> relevant) to OTG-INFO-001 or OTG-INFO-003 of the OWASP Testing Guide.
> 
> 
> -- 
> Regards,
> Christian Heinrich
> 
> http://cmlh.id.au/contact
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing


More information about the Owasp-testing mailing list