The OSSTMM is about operational security. It is about knowing and measuring how well security works. This methodology will tell you if what you have does what you want it to do and not just what you were told it does.
What you get from utilizing OSSTMM is a deep understanding of the interconnectedness of things. The people, processes, systems, and software all have some type of relationship. This interconnectedness requires interactions. Some interactions are passive and some are not. Some interactions are symbiotic while others are parasitic. Some interactions are controlled by one side of the relationship while others are controlled by both. We may try to control what we can't trust but even then some controls are flawed or superfluous, which is harmful to at least one side of the relationship, if not both. What we want is that our controls balance perfectly with the interactions we want or need. So when we test operations we get the big picture of all our relationships, coming and going. We get to see the interconnectedness of the operations in fine detail and we get to map out what makes us, our business, and our operations what they are and can be.
Why test operations? Unfortunately, not everything works as configured. Not everyone behaves as trained. Additionally, more and more things are built from pre-fabricated constructs of materials, or source code from pre-defined libraries, or as in the case for training people, from pre-existing experiences. The new builders are only aware of what they put together and not how the pre-fabricated parts work in a new environment with new variables and in new ways. Therefore the truth of configuration and training is in the resulting operations. Nothing can tell us more about how we can fulfill objectives or follow a strategic vision than how we do what we are doing now. And that knowledge allows us to control what interactions we want. That’s why we need to test operations.
The OSSTMM is continually in development as we learn more and more about what it means to be safe and secure. Provided here is the latest public release. To receive OSSTMM development status, notes, and betas, become part of the team. Subscribe now to join the ISECOM Gold or Silver Team or contact us with how you can help OSSTMM development and earn a place on the core development team.
OSSTMM 3 Evening Talk 22.01.2008Duration 51:16Pete Herzog presents the ongoing research into OSSTMM 3 and its practical aspects for business.