The Security Kitchen

Pete Herzog (the main man behind ISECOM) was so nice to reply to my blogpost related to OSSTMM.
Here’s is his complete answer :

Since you mentioned it….

The development behind the OSSTMM v.3 has been pretty amazing. We got a huge push from the OpenTC project which is funded by the EU and a lot of support from various governments around the world. But all this attention was for a reason- the OSSTMM v.3 needed to fix all the problems from the previous versions and that meant fixing a lot of the problems in the security industry. The worst being “best practices”. This meant that OSSTMM v.3 had to be a new methodology, completely rewritten, with each and every part of the method verified to be true and not just a common or “best” practice. Needless to say it’s a lot of work. But it did bring about some really cool findings about security (remember the OSSTMM just focuses 1/5th of itself on network and data security). Basically, the OSSTMM v.3 has become a collection of security facts in the form of a methodology for security testing and analysis. Some of the improvements and differences are:

- Gone are best practices
- Focus on the proper method for doing a security test and analysis from start to finish
- New modules with a cohesiveness to operational security metrics which measure accurately the attack surface of anything and trust metrics which can help you decide if you have a reason to trust someone or something.
- Self-auditing features with new test types, error types, and a means to qualitatively assure you, as the tester, are able to review problems you encountered while testing and improve yourself.
- Flexibility to apply it to any new technologies or processes.

We’re going strong but we need a better way to communicate this effectively. We’re working on a new website which will have RSS capabilities so hopefully you will see the changes as we upload them.

Thanks Pete ! I’m looking forward to the new release.