Implementing OSSTMM Strategies Creates Value

Tuesday, September 28, 2010

Infosec Island Admin


An Interview with Christoph Baumgartner, CEO of OneConsult

While re-addressing the OSSTMM and its application/usefulness in my firm's business, I wanted to gain the perspective of a company that's been using the OSSTMM for some time. More specifically, I wanted to know if that company's clients have seen a measurable improvement in their information security programs, since that is our overall goal, right?

We reached out to Christoph Baumgartner, CEO of OneConsult, GmbH in Switzerland - whose firm has been using the OSSTMM methodology since it's inception- to find out what the OSSTMM methodology has meant to his firm and his clients.  

OneConsult GmbH was founded in 2003 by Christoph Baumgartner and Dr. Cathrin Senn to offer unbiased, product-independent consulting services in the fields of IT security and IT strategy- with a focus on technical security audits (penetration test, application security audit, ethical hacking), conceptual security audits and related training.

Christoph has been involved in IT since 1983, and has a great deal of experience as a project manager and consultant in a wide range of sectors. Before co-founding OneConsult, Christoph held several management positions at various respected system and security integrators.

He specializes in technical and conceptual security audits, security guidelines and concepts, BCM and DR coaching as well as strategic consulting, and is an ISECOM contributor on the ISECOM Core Team.

Christoph has graciously offered to share with the Infosec Island community his experience with adopting the OSSTMM methodology from a security consulting business point of view.

Q: Tell us a bit about the company, its history, yourself, your target market, etc.

OneConsult GmbH is an internationally operating Swiss information security consulting firm with a special focus on technical security audits, computer forensics and training. After several years of working as an information and IT security consultant, I founded OneConsult in 2003 out of the need to better serve the industry.

In those days Swiss ICT companies were mainly offering technical security audits as a "me too service" to open the door for product sales. However, this approach didn't meet the real needs of mid-sized and large companies or apply the so-called segregation of duties.

This principle postulates that the supplier of an IT solution be different from the technical auditor performing the test after its implementation.

In 2003, only a few, mostly very small, Swiss firms specialized in services as demanding as penetration testing, application security audits, and ethical hacking. I was convinced that the demand for such services would increase in the face of an ever growing on-line world and, faced with the challenge, founded OneConsult.

Today, OneConsult has a great reputation for its customer focus, high-quality services, and expert staff. It is definitely one of the key security players in Switzerland and the surrounding countries.

Q: When did OneConsult begin using the OSSTMM?

Before we founded OneConsult, I was working on a large security audit project for the public sector. One of the key objectives was to identify and evaluate methodologies for performing and documenting IT security tests which were well established and practical.

After screening all relevant methodologies available, the client and I agreed to use the Open Source Security Testing Methodology Manual (OSSTMM). Soon after I founded OneConsult and decided to base all technical security audits (with the exception of the rather simple security scan) on the OSSTMM because of its practical approach, flexibility and metrics.

Q: When was OneConsult certified as an ISECOM Licensed Auditor and ISECOM Partner (accredited trainer)?

We went after the credentials when we realized that to truly serve our clients we needed to be a participant and not just a spectator. The ISECOM Licensed Auditor label was defined in 2006 and we were the first company to apply for certification.

The label is a reflection of our strong commitment to the methodology and has in my experience proven to be a valuable and trusted brand, making it a distinguishing factor in the IT security industry. We then became an ISECOM Partner in 2007.

This accreditation gives our company the right to provide official ISECOM trainings to clients so they get more out of the OSSTMM audits. We feel it's always better to help the client understand and be in sync with what we do for them. It's a level of transparency that helps build trust.

Q: What did becoming an ISECOM Licensed Auditor, an ISECOM partner and employing the OSSTMM model mean for OneConsult's business?

In the early years when the OSSTMM was not as well known as today, we had to introduce the OSSTMM and its core features to new prospects, proving that they can rely on the methodology. Almost all clients who had chosen to do an audit following the OSSTMM later made it a mandatory requirement for all future audits.

Some of the main reasons for its popularity were the risk assessment values (ravs) and its benchmarking capabilities, the rules of engagement, and its very practical, hands-on approach. While a home-grown methodology might be perfect for a specific project, its downside is that it is not publicly available.

As a consequence, a client cannot well compare results from tests performed by different auditors. This comparability of the results gave our number of OSSTMM-compliant audits a strong boost, and in parallel increased OneConsult's reputation as a reliable, customer-focused IT security company.

Our long experience employing the methodology and the OSSTMM currently being reviewed by the ISO Standardization Committee are key factors for our future success.

Q: How many OSSTMM-compliant assessments has OneConsult performed?

We have successfully completed over 250 OSSTMM-compliant technical security audits since 2003. This makes us the leading company of OSSTMM testing in the German-speaking countries.

Q: What impact has OSSTMM had on OneConsult's clients? Are they improving their Operational Security as a result?

The most important aspect is that we have an easier time keeping our clients. Most of the companies and organizations which order security audits on a regularly basis are fairly well organized and have a strong interest in gaining and keeping an adequate level of security.

Our clients can watch and maintain their exact level of operational security using the OSSTMM. This means their tests are repeatable and therefore comparable no matter who they choose to do the security test.

Having the attack surface metrics, the ravs, means that they can watch trends and keep a close eye on how changes in operations effect their security directly. I can definitely confirm that many of our clients who have to change the supplier for security policy reasons expect their future suppliers to apply the OSSTMM.

Q: What would you recommend to security consulting firms in North America that have not yet utilized the OSSTMM methodology?

I encourage every security consulting company to take a look at the OSSTMM especially if they plan to modify their testing methodology or to create a new one. For me the calculation is quite simple since security consulting companies offer security audits of different quality levels.

That quality depends on the degree of automation, the scope, the test depth, the knowledge of the testers, and the project time. The client then expects an accurate and meaningful report at the end of the project.

The OSSTMM takes all of these points into account - so why define a new methodology when the OSSTMM is readily available and has stood the test of time? When I started to use the methodology in 2002, we only focused on the rules of engagement and the reporting templates. In those days, the rav calculation was not as highly developed as it is today.

The OSSTMM has been enhanced over time quite dramatically. The current and upcoming releases are strongly related to practical issues and it's a big plus that the results can give operational security a numeric and comparable value.

As soon as an IT security company has the intention of using the OSSTMM as a marketing vehicle in addition to its use as a testing methodology, they should certify their employees as OSSTMM professionals in OPST, OPSA, OPSE, OWSE or CTA.

After that, they can be ISECOM Licensed Auditors (ILA) or an accredited ISECOM Partner to enhance client relationships by offering training.

Q: Anything else you would like to add?

Relying on the OSSTMM has been one of the most important strategic decisions of my professional life - and I have never regretted it.

Possibly Related Articles:
Enterprise Security
Information Security
Risk Assessments Vulnerability Assessments OSSTMM ISECOM
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.