On Thursday Feb 17 and Friday Feb 18 2011, I attended ISECOM's first OSSTMM Forum at La Salle University in Barcelona, Catalunya, Spain.
For anyone who doesn't know yet, OSSTMM is the Open Source Security Testing Methodology Manual.
There, I met some of ISECOM's training partners, auditors using the OSSTMM for their clients' assessments, and other interested parties.
Those of us with little experience with the OSSTMM learned a bit more about the OSSTMM metrics, and how it all works, how the ravs are calculated, what sort of standard practices have been initiated to ensure that different audits carried out by different groups use the same methods for determining what numbers to plug into the spreadsheets, etc.
There was an interesting talk on OSSTMM Trust Metrics, and another on Channels, Modules, and Tasks breaking down exactly what makes each of these components. There was some discussion on how modules can fit together and which ones are mandatory, which are optional, and debating whether other channels exist.
We then broke into separate groups to work on various aspects of the next stages of the evolution of the OSSTMM. Each group took a different issue, such as defining what the Vision of the OSSTMM is, or should be.
The big event on the second day was the presentation of the ISO/IEC NWIP (New Work in Progress) proposal that would take the OSSTMM as we know it, mash it up with NIST SP800 and make a new ISO standard in the 27000 series.
ISO 27008 : Guidance for Auditors on ISMS Controls is in the process of being created and that is where components of the OSSTMM will end up. (ISO standards take a long time to be made, even longer than most had been waiting for OSSTMM 3) In the mean time, ISO has suggested a standardization of terminology that will probably be reflected in OSSTMM 4 before it appears in ISO 27008.
After the ISO talk we all broke into groups again to work on items like training materials, and applied OSSTMM components. OSSTMM is very high level, and the thing that everyone seems to be in agreement on is the need for applied OSSTMM documents outlining how it can be applied to different realms, such as web applications, computer networks, system hardening, etc.
In the week following the Forum Pete signed us all up to 3 of ISECOM's closed discussion lists, OSSTMM, Security Metrics, and Trust Metrics. The interesting conversations have continued on these e-mail lists. I think the e-mail lists may end up being the thing I like most about the OSSTMM Forum.
Interestingly, Pete was aiming for OSSTMM 4 to come out possibly later this year, but I think that the group as a whole decided that Applied OSSTMM and smaller executive summary documents are a higher priority at the moment over further refining the "Bible" of OSSTMM.
Pete says he'd like to meet in Barcelona once a year (probably March or April next year) and several of the attendees agreed that to keep momentum it's probably best to also have a small meeting elsewhere in the fall. ...so keep your eyes open for more OSSTMM Forum announcements in the months to come.
Oh hey, Pete... That Hacking Exposed Linux book is out on Kindle now. Just bought it last night. When I checked a couple weeks ago it was the only Hacking Exposed book I couldn't find a Kindle version of.