Security Testing Manual 2.0

Posted on 15.2.2002

The Open Source Security Testing Methodology Manual 2.0 will be released on February 26th at http://www.ideahamster.org/.

The Open Source Security Testing Methodology Manual (OSSTMM) is unique in that it is the first and most widely available standard in development for the comprehensive security testing of Internet systems and networks. Created by the Ideahamster organisation, the OSSTMM is a continuously evolving document with over 150 collaborators – ensuring that as IT focus changes and new developments in Internet security occur, the OSSTMM remains current and up to date.

Before the OSSTMM, no documents existed which addressed the needs of security professionals by providing an open, publicly available standardised guide for formal Security Testing. We assume that there are other methodologies, but no commercial enterprises have ever made them public knowledge – ultimately, clients end up paying for services that they cannot really evaluate.

There are many companies that offer security testing – whether by automated tool, or by using ‘real world hacker experience’. Some claim to be compliant with various government sponsored certification schemes, other boast membership to various closed-shop accreditation schemes. Until now, no certification or standard existed that provided clients and end users with assurances that the security testing work they are commissioning is to an acceptable standard.

The OSSTMM changes all of this – offering participants a consistent framework and clearly quantifiable results, thereby affording a level of assurance or the output quality, accuracy and validity of the tests that end users have not yet seen in the Security Industry.

Security Testing thus becomes quantifiable, constant and repeatable, visibly thorough and compliant to a global range of individual and local laws.

From my announcement mail:
"I have been able to integrate most of the submissions, corrected flow for new procedures, new laws, and new tasks. I have integrated security metrics, risk assessments, and included SECTIONS which will better guide testing. Included is a template of a sample report which contains all the elements which MUST appear in a report to carry an OSSTMM compliancy clause, data collection templates, and a few other OSSTMM standard testing instruments. All of this document will be drill down to the web site in the appropriate places and room to grow. This is a very different manual from 1.5."