200 7.3 The Open Source Security Testing Methodology Manual
results of prior tests; the value and sensitivity of data and systems; and
changes to systems, policies and procedures, personnel, and contractors. For
example, network vulnerability scanning on high-risk systems can occur at
least as frequently as significant changes are made to the network.
7.3 The Open Source Security Testing
Methodology Manual
According to Pete Herzog, Managing Director of the Institute for Security
and Open Methodologies [1], the Open Source Security Testing Methodol-
ogy Manual (OSSTMM) was developed to set forth a standard for external
security testing. Focused more on the skills and techniques of the testers
than on the marketing brand of the examiners, OSSTMM is a solution to
the problem of inconsistency in both the qualitative and quantitative
aspects of a security test. Herzog maintains that any network or security
tester who meets the outline requirements described in the OSSTMM is
said to have completed a successful security test with more lasting worth
than just a snapshot of the current posture. The following paragraphs have
been contributed directly by Mr. Herzog:
Security testing has an impressive and glamorous modern history,
from the Navy Seals commissioned to break into American bases
and armories to validate defensive measures to the hackers and
con men hired to break into secured data stores to verify points of
weakness or failure. Security testing is a profession full of megalo-
maniacs and “lone wolves” attracted to the hacker image, as it is
often portrayed. But it’s also a profession full of team players,
business-minded consultants, and information officers who have
a daily job to do in keeping usability, safety, and privacy high on
their agenda while reducing security risks and liabilities.
Security testing is also often compared to the parable of the
Emperor’s New Clothes. The story is about two con artists who
sell the king the most glorious clothing made from cloth that is
invisible to idiots. Of course, the king, afraid to be thought of as
an idiot who can’t see the clothes, never questions the con men
and buys the clothing. During a parade, the townspeople, also
afraid of being thought of as idiots, praise the new clothing. It is a
child who then speaks up, “Why is the king naked?”
7.3 The Open Source Security Testing Methodology Manual 201
Chapter 7
Like that child in the parable, the security tester must question
the world as they see it. They see what is to be seen and then
probe, poke, and otherwise test what they see and take note of
what occurs in an unbiased way. Anything else would taint the
results. For this reason, it’s important that beginning security
testers see themselves as mad scientists—pariahs with unconven-
tional means, experimenting on what no one else dares. Mad sci-
entists, as we’re told from the movies, approach their subjects with
great knowledge and curiosity under a strict, repetitive methodol-
ogy, but are creative as hell where the methodologies end. It’s no
wonder, then, that security testing appeals to both the good and
the bad. The security industry is incredibly wide and therefore,
just as wide, is the industry of those to test that security.
An Internet security test is no more than a view of a system at a single
moment in time. As we have stated previously, periodic, frequent reviews of
security, or multiple snapshots over time, will likely increase the security
posture of an organization dramatically. However, the caveat to this
increased security posture is an assumption that the vulnerabilities found in
security testing are acted upon in a timely manner. OSSTMM provides
more than a just a snapshot, if followed correctly. Herzog advocates a more
holistic approach, which he refers to as the scattershot effect. This effect is
seen when security practitioners execute various tests on the less dynamic
components in an organization (e.g., PBX systems, automated door locks,
etc.) that offer a longer security value than a simple snapshot, because the
degradation of security for those components and the recommended cycle
of testing is much longer than for other components. For instance, it may
be necessary to scan ports every eight days to remain in a 10% risk level,
where testing the PBX is only necessary once every six months to remain in
the same 10% risk level. So where a security test of the hosts may last a
week, the test of the communications systems may last much longer. This
approach deals with the issue of organizational security in a holistic
approach, rather than the conventional treat-the-symptom approach used
by many organizations.
OSSTMM strives to become a central standard for security testing. Her-
zog believes that by following an open-source, standardized methodology,
participants can make a valuable contribution to Internet security. We tend
to agree with him.
Get Business Continuity and Disaster Recovery for InfoSec Managers now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
