Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: OSSTMM how good is it?

from [Steve Armstrong] Network Security [Permanent Link]
Subject: RE: OSSTMM how good is it?
Date: Tue, 16 May 2006 13:01:12 +0100 
Rik

I believe the OSSTMM is a good framework, in an industry with few public
standards.

As to its resected nature, I cannot answer that however, I point to fact
it is probably one of the few standards the customer can get for
themselves and read.  Thereby showing your practices and procedures are
open to scrutiny (if required) and your testing should be all
encompassing and thus reducing his risk of future unknown security
issues.

It is good because it challenges the perception that many IT Security
Testing Companies will agree to testing without publishing the depth and
vigour to which they will undertake that testing.  Many just come and do
'stuff' and give you a report and an invoice.  

Please note I am not disrespecting these companies, I am perhaps
oversimplifying the controls that place on releasing what they actually
do - usually for fear of competition.

However, you state you are undertaking IS1&3 but not 2 why is that.  And
given the nature of IS1&3 why are you using CRAMM? 

Finally, are you looking to use the OSSTMM as in internal testing
standard or one to level contracts against?  I ask because your
questioning alludes to a non technical level of expertise but you are
discussing a methodology to undertake technical testing.  


Steve A

Reader and user of IS1-5 but NOT CRAMM
User of OSSTMM

---------------------------------------------------

UK IT Security Forum - www.logicallysecure.com/forum

------------------------------------------------------------------------
--------------------------

-----Original Message-----
From: rik kershaw-moore [mailto:rkm@tsiolkovsky.co.uk] 
Sent: 16 May 2006 06:47
To: pen-test@securityfocus.com
Subject: OSSTMM how good is it?

Can I ask what people think of the OSST and the Methodology laid down in
the OSSTM Manual?

Another question, especially for those UK residents - how well respected
is the OSST Methodology?

I am thinking of including this in our standard internal dest practice
set.

We aleady use the HMG InfoSec Standards 1 & 3 and CRAMM for Risk
Assessment, the ITIL Security Model for Security Change & Incident
Management but we are currently lacking when it comes to a decent
Testing Standard.  

Yours,

Rik Kershaw-Moore,  ITPC-HMG..



--
This message has been scanned for viruses and dangerous content by
MailScanner, and is believed to be clean.


------------------------------------------------------------------------
------
This List Sponsored by: Cenzic

Concerned about Web Application Security? 
Why not go with the #1 solution - Cenzic, the only one to win the
Analyst's 
Choice Award from eWeek. As attacks through web applications continue to
rise, 
you need to proactively protect your applications from hackers. Cenzic
has the 
most comprehensive solutions to meet your application security
penetration 
testing and vulnerability management needs. You have an option to go
with a 
managed service (Cenzic ClickToSecure) or an enterprise software 
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service
can 
help you: http://www.cenzic.com/news_events/wpappsec.php 
And, now for a limited time we can do a FREE audit for you to confirm
your 
results from other product. Contact us at request@cenzic.com for
details.
------------------------------------------------------------------------
------


------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security? 
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's 
Choice Award from eWeek. As attacks through web applications continue to rise, 
you need to proactively protect your applications from hackers. Cenzic has the 
most comprehensive solutions to meet your application security penetration 
testing and vulnerability management needs. You have an option to go with a 
managed service (Cenzic ClickToSecure) or an enterprise software 
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can 
help you: http://www.cenzic.com/news_events/wpappsec.php 
And, now for a limited time we can do a FREE audit for you to confirm your 
results from other product. Contact us at request@cenzic.com for details.
------------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: how an hacker can bypass a chrooted environement ?, Marco Ivaldi
Next by Date:  Paros 3.2.12 Release, contact
Previous by Thread:  Silver Bullet Security Podcast with Gary McGraw, Giovanni Vigna
Next by Thread:  Re: OSSTMM how good is it?, rik kershaw-moore
Indexes:  [Date] [Thread] [Top] [All Lists]