RE: OSSTMM how good is it?
- From: "Steve Armstrong" <stevearmstrong@xxxxxxxxxxxxxxxxxxx>
- Date: Tue, 16 May 2006 13:01:12 +0100
Rik
I believe the OSSTMM is a good framework, in an industry with few public
standards.
As to its resected nature, I cannot answer that however, I point to fact
it is probably one of the few standards the customer can get for
themselves and read. Thereby showing your practices and procedures are
open to scrutiny (if required) and your testing should be all
encompassing and thus reducing his risk of future unknown security
issues.
It is good because it challenges the perception that many IT Security
Testing Companies will agree to testing without publishing the depth and
vigour to which they will undertake that testing. Many just come and do
'stuff' and give you a report and an invoice.
Please note I am not disrespecting these companies, I am perhaps
oversimplifying the controls that place on releasing what they actually
do - usually for fear of competition.
However, you state you are undertaking IS1&3 but not 2 why is that. And
given the nature of IS1&3 why are you using CRAMM?
Finally, are you looking to use the OSSTMM as in internal testing
standard or one to level contracts against? I ask because your
questioning alludes to a non technical level of expertise but you are
discussing a methodology to undertake technical testing.
Steve A
Reader and user of IS1-5 but NOT CRAMM
User of OSSTMM
---------------------------------------------------
UK IT Security Forum - www.logicallysecure.com/forum
------------------------------------------------------------------------
--------------------------
-----Original Message-----
From: rik kershaw-moore [mailto:rkm@xxxxxxxxxxxxxxxxx]
Sent: 16 May 2006 06:47
To: pen-test@xxxxxxxxxxxxxxxxx
Subject: OSSTMM how good is it?
Can I ask what people think of the OSST and the Methodology laid down in
the OSSTM Manual?
Another question, especially for those UK residents - how well respected
is the OSST Methodology?
I am thinking of including this in our standard internal dest practice
set.
We aleady use the HMG InfoSec Standards 1 & 3 and CRAMM for Risk
Assessment, the ITIL Security Model for Security Change & Incident
Management but we are currently lacking when it comes to a decent
Testing Standard.
Yours,
Rik Kershaw-Moore, ITPC-HMG..
--
This message has been scanned for viruses and dangerous content by
MailScanner, and is believed to be clean.
------------------------------------------------------------------------
------
This List Sponsored by: Cenzic
Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the
Analyst's
Choice Award from eWeek. As attacks through web applications continue to
rise,
you need to proactively protect your applications from hackers. Cenzic
has the
most comprehensive solutions to meet your application security
penetration
testing and vulnerability management needs. You have an option to go
with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service
can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm
your
results from other product. Contact us at request@xxxxxxxxxx for
details.
------------------------------------------------------------------------
------
------------------------------------------------------------------------------
This List Sponsored by: Cenzic
Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@xxxxxxxxxx for details.
------------------------------------------------------------------------------
- Follow-Ups:
- Re: OSSTMM how good is it?
- From: rik kershaw-moore
- Re: OSSTMM how good is it?
- Prev by Date: Re: how an hacker can bypass a chrooted environement ?
- Next by Date: Paros 3.2.12 Release
- Previous by thread: Silver Bullet Security Podcast with Gary McGraw
- Next by thread: Re: OSSTMM how good is it?
- Index(es):
Relevant Pages
|
