Fact does not come from the grand leaps of discovery but rather from the small, careful steps of verification. That is the premise of the Open Source Security Testing Methodology Manual also known as the OSSTMM (pronounced as "awstem") It is a peer-reviewed manual of security testing and analysis which result in verified facts. These facts provide actionable information that can measurably improve your operational security. By using the OSSTMM you no longer have to rely on general best practices, anecdotal evidence, or superstitions because you will have verified information specific to your needs on which to base your security decisions. One way to assure a security analysis has value is to know it has been done thoroughly, efficiently, and accurately. For that you need to use a formal methodology. The OSSTMM aims to be it.
The OSSTMM is about operational security. It is about knowing and measuring how well security works. This methodology will tell you if what you have does what you want it to do and not just what you were told it does.
What you get from utilizing OSSTMM is a deep understanding of the interconnectedness of things. The people, processes, systems, and software all have some type of relationship. This interconnectedness requires interactions. Some interactions are passive and some are not. Some interactions are symbiotic while others are parasitic. Some interactions are controlled by one side of the relationship while others are controlled by both. We may try to control what we can't trust but even then some controls are flawed or superfluous, which is harmful to at least one side of the relationship, if not both. What we want is that our controls balance perfectly with the interactions we want or need. So when we test operations we get the big picture of all our relationships, coming and going. We get to see the interconnectedness of the operations in fine detail and we get to map out what makes us, our business, and our operations what they are and can be.
Why test operations? Unfortunately, not everything works as configured. Not everyone behaves as trained. Additionally, more and more things are built from pre-fabricated constructs of materials, or source code from pre-defined libraries, or as in the case for training people, from pre-existing experiences. The new builders are only aware of what they put together and not how the pre-fabricated parts work in a new environment with new variables and in new ways. Therefore the truth of configuration and training is in the resulting operations. Nothing can tell us more about how we can fulfill objectives or follow a strategic vision than how we do what we are doing now. And that knowledge allows us to control what interactions we want. That’s why we need to test operations.
The OSSTMM is continually in development as we learn more and more about what it means to be safe and secure. Provided here is the latest public release. To receive OSSTMM development status, notes, and betas, become part of the team. Subscribe now to join theISECOM Gold or Silver Team or contact us with how you can help OSSTMM development and earn a place on the core development team.
OSSTMM 3 Evening Talk 22.01.2008
Pete Herzog presents the ongoing research into OSSTMM 3 and its practical aspects for business.