In the next Days the
foss.in 2010 will take place and it is now one year ago - on foss.in 2009 - where i introduced the first time my efforts around the
Fedora Security Lab and the OSSTMM, as my ongoing approach to maintain a
Platform for Security Testers and for Teaching Security - by including methods from
the Open Source Security Testing Methodology Manual (OSSTMM), besides just to have a selection of test tools. There is still a lot work ahead and sometimes i go crazy on the hurdles we have to take because of trade secrets, licence issues etc. - but even with small steps you can go a path ;)
I look forward to my talk on FUDCon Tempe/Arizona in January 2011 to find out how we can improve on that.
Nearly every Standard who implements Security Management into Bussines Processes, requires that the results from security tests as the base for the risk assessment, ensure to have comparable and reproducible results. How to ensure that? The OSSTMM is the perfect Guide.
And the auditing department will love the results out of the
OSSTMM Metric - the Risk Assessment Value(rav). For those who do not know the OSSTMM - the
"Institute for Security and Open Methodologies (ISECOM)" is the non-profit organization and maintainer behind the approach to create - the "ultimate security guide"!
Working together with the ISECOM, i got my hands on the brandnew and soon to be released OSSTMM 3!
The ISECOM released some sneak preview´s and Lite versions around the Version 3 in the past years. The Lite Version in 2008 was complete enough, to have a good idea what direction the whole thing goes.
But - the last complete, public available Version of the OSSTMM, was the Version 2.2 in Dec 2006. So it took 4 years to come up with a new version! Putting all the released work and blog posts from the ISECOM together over the time, interested people can have a good picture how the new release will look like - but there were also surprises.
The Version 2.2 with 129 pages overall, contained 41 "empty" template pages - the current Version that i have here now, is 210 pages strong, what a bunch of paper work ;)! But it is not just quantity - what i see at the first sight, the wording and the chapters are much more consistent and better meshed up.
During this 4 years a lot work has been invested and even work that was already invested to improve the new Standard - is removed from this version - like the "Test Error Margin - TERM". To be honest i am not so unhappy about that, because the TERM had biased parts anyway in the calculation ;)
Like the old Version, the new has the benefit of a Standard, it provides common ethics and conduct, common wording, organizational regulations - a common sense. Like the "old" it does not only take vulnerabilities into account by also looking in to security controls and operational security. It considers also legislation and compliance and it provides a really awesome security metric to provide quantified test-results.
Hint, i know a lot people that also use the rav as a helper to make a final decission what new control they choose - confronted with different solutions to spend money on Security. According to the new Standard, the Metric from 2.2 to 3.0 is not compatible and must be recalculated - mhm this is something i have to dive in :S
It introduces things we expected in that new version, like the 4 point process and the reorder of the Security Map with now 3 Classes divided in 5 Channels and 17 Modules for every Channel. This is something i like much better, because in the old version it felt inconsistent and confusing in the form that every channel(former section) had different Modules with also different names. No Templates? - Yes, besides the AuditReport(STAR), no Templates, i do not miss them ;)
Reading through it, i get excited more and more - there is a mapping what module represents which part of the 4 point process. Newcomers will find things that will help them with a transitions from classical concepts of Security Definitions by linking them against the OSSTMM controls. Another huge new part is a whole chapter on trust analysis and introducing trust properties and trust rules - i should have guessed that from
Essential Trust Analysis Diving into the Channels, Modules and Tasks, they are still quite explicit and specific what to test and what to perform, but let you enough room to decide which tools you use doing your work, as long as you know what you are doing with it - i know a lot testers who had the fear that this gets cut off. The "expected result" passage is no longer part of the modules and this can only help to find a unbiased result. I already pointed out that it is now much more consistend by having the same Modules in every Channel and therefore i am convinced it is easier to work with!!!
I can not wait to see it adopted by more security professionals.
