RE: ISSAF 0.2 release

Hi Stefano,

-----Original Message-----
From: Stefano Zanero [mailto:s.zanero@xxxxxxxxxxxxxxxx]

Omar A. Herrera wrote:
We are pleased to announce the release of draft 0.2 of the Information
Systems Security Assessment Framework (ISSAF).

Just to help me understand, what's the difference between this and the
more established OSSTMM ?

Stefano

Thanks for pointing this out; It will be useful to clarify this publicly
since many others will probably have the same question. For that matter I
reproduce below parts of a conversation with John Kinsella involving members
of the OISSG and ISECOM.

As in that occasion, I invite Pete Herzog and other ISECOM members to post
any further clarifications they deem appropriate.

I hope this helps to clarify related doubts. Further questions and comments
on this matter are most welcomed.

Best regards,

Omar Herrera
Chairman, ISSAF Steering Committee


-----Original Message-----
From: John Kinsella [mailto:jlk@xxxxxxxxxxxxxx]
Sent: Tuesday, November 01, 2005 3:59 AM
To: Omar A. Herrera
Subject: Re: OISSG call for participation

Omar - any comments on how you guys compare/compliment/differ to
ISECOM?
Might want to put that as a FAQ somewhere on the site...

We definitely will include this information in a FAQ, thanks for
your comment. But for now I'll address the question.

ISECOM's OSSTMM is an excellent security testing methodology that
focuses mainly on pentesting. It is a mature project whereas ISSAF
has not yet reached a stable, for production use, stage.

It might seem that wee overlap in some areas, but there are
differences that allow ISSAF and OSSTMM to complement each other.

In some sense (because of its nature), ISSAF pretends to be broader
and more detailed, e.g. we have a section on how to assess AS400
systems, network devices, etc. and we plan to include sections on
how to do security assessments for handheld device configuration and
smartcards. We try to include as more information as possible, such
as detailed examples of testing techniques and some tool outputs.
From a less technical point of view, ISSAF will cover things like
assessment of patch management, vulnerability management and version
control management processes.

There are advantages and disadvantages to this approach; the
advantage is that you will have something like a security wikipedia
with information on how to conduct security assessments for a wide
range of processes and systems. However, this implies that it will
require frequent updates and a lot of effort to maintain.

OSSTMM, being a methodology, will be less affected by obsolescence
issues, because you can apply the same methodology to several
assessment engagements, using different techniques and tools. On the
other hand, ISSAF is a framework and pretends to give you the latest
information on techniques, tools, best practices and regulation
issues to complement your assessment engagement, whether you use
OSSTMM as your assessment methodology or any other.

We might work closely with ISECOM in the future as well. We are an
open group and are definitely not opposed to that :-).

The opinion of Pete Herzog or any other members of ISECOM might also
help to clarify things further (I'm CCing Pete and Balwant, because
your question is interesting for both ISECOM and the OISSG). But for
now, I hope this will answer the question.

Kind regards
Omar Herrera



------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@xxxxxxxxxx for details.
------------------------------------------------------------------------------

Relevant Pages

  • RE: Converged Network Assessment - VoIP Security
    ... second annual VoIP Security Conference at Illinois Institute of Technology ... Subject: Converged Network Assessment ... convergence is going to have a lot to do with integrating VoIP ...
    (Pen-Test)
  • Some over-classified al Qaeda files left on a train in England.
    ... The two reports were assessments made by the government's Joint ... According to the BBC's security correspondent, Frank Gardner, ... intelligence assessment on al-Qaeda is so sensitive that every ... Police are investigating a "serious" security breach after a civil ...
    (sci.military.naval)
  • Re: Pentesting tool - Commercial
    ... For the assessment work I've done in the past two years on ... Comparing GFI LANguard Network Security Scanner 8 to Qualys ... How does the client acquire new software? ... vulnerability research businesses, and "security" consulting companies ...
    (Pen-Test)
  • RE: OPST and CEH
    ... I took Feb. 2-6, 2004, the OPST Certification course offered in Ft. ... In addition to the OSSTMM methodology ... with LOTS of material on Ethical Hacking techniques. ... covers the period BEFORE, DURING, and AFTER the security testing is ...
    (Pen-Test)
  • RE: An idiot question
    ... The OSSTMM is part of iVolutions Applied Penetration Testing Course Material ... Read all you can get your hands on about not just Pen Testing but Security ... - Keeping You Ahead of the Threat ...
    (Pen-Test)