First Annual (Possibly Semi-Annual) OSSTMM Forum

Wednesday, March 02, 2011

Rod MacPherson


On Thursday Feb 17 and Friday Feb 18 2011, I attended ISECOM's first OSSTMM Forum at La Salle University in Barcelona, Catalunya, Spain.

For anyone who doesn't know yet, OSSTMM is the Open Source Security Testing Methodology Manual.

There, I met some of ISECOM's training partners, auditors using the OSSTMM for their clients' assessments, and other interested parties.

Those of us with little experience with the OSSTMM learned a bit more about the OSSTMM metrics, and how it all works, how the ravs are calculated, what sort of standard practices have been initiated to ensure that different audits carried out by different groups use the same methods for determining what numbers to plug into the spreadsheets, etc.

There was an interesting talk on OSSTMM Trust Metrics, and another on Channels, Modules, and Tasks breaking down exactly what makes each of these components. There was some discussion on how modules can fit together and which ones are mandatory, which are optional, and debating whether other channels exist.

We then broke into separate groups to work on various aspects of the next stages of the evolution of the OSSTMM. Each group took a different issue, such as defining what the Vision of the OSSTMM is, or should be.

The big event on the second day was the presentation of the ISO/IEC NWIP (New Work in Progress) proposal that would take the OSSTMM as we know it, mash it up with NIST SP800 and make a new ISO standard in the 27000 series.

ISO 27008 : Guidance for Auditors on ISMS Controls is in the process of being created and that is where components of the OSSTMM will end up. (ISO standards take a long time to be made, even longer than most had been waiting for OSSTMM 3) In the mean time, ISO has suggested a standardization of terminology that will probably be reflected in OSSTMM 4 before it appears in ISO 27008.

After the ISO talk we all broke into groups again to work on items like training materials, and applied OSSTMM components. OSSTMM is very high level, and the thing that everyone seems to be in agreement on is the need for applied OSSTMM documents outlining how it can be applied to different realms, such as web applications, computer networks, system hardening, etc.

In the week following the Forum Pete signed us all up to 3 of ISECOM's closed discussion lists, OSSTMM, Security Metrics, and Trust Metrics. The interesting conversations have continued on these e-mail lists. I think the e-mail lists may end up being the thing I like most about the OSSTMM Forum. 

Interestingly, Pete was aiming for OSSTMM 4 to come out possibly later this year, but  I think that the group as a whole decided that Applied OSSTMM and smaller executive summary documents are a higher priority at the moment over further refining the "Bible" of OSSTMM.

Pete says he'd like to meet in Barcelona once a year (probably March or April next year) and several of the attendees agreed that to keep momentum it's probably best to also have a small meeting elsewhere in the fall. keep your eyes open for more OSSTMM Forum announcements in the months to come. 

Oh hey, Pete... That Hacking Exposed Linux book is out on Kindle now. Just bought it last night. When I checked a couple weeks ago it was the only Hacking Exposed book I couldn't find a Kindle version of. 

Possibly Related Articles:
Methodologies Training Security Audits OSSTMM ISECOM metrics ISO Standards
Post Rating I Like this!
Pete Herzog Hey Rod, glad you came to the forum and contributed! It was good having you there. 2 things: I didn't know that HEL was on Kindle. The things the publisher forgets to tell us.... Secondly, the lists are open they just haven't been linked yet from the ISECOM site. But they will be soon! We always need more feedback!
Rod MacPherson FYI for those curious to see where ISO 27008 is coming from,
The NIST document from the SP 800 series that will be mashed up with OSSTMM to make ISO 27008 is SP 800-115
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.