OSSTMM Definition

OSSTMM (Open Source Security Testing Methodology Manual) provides a methodology for a comprehensive safety test. This document refers to as an OSSTMM audit.

An OSSTMM audit is an exact measurement of safety at the operational level, which avoids expectations and anecdotal evidence.

As an open-source project, it allows any security test professional to contribute ideas for more accurate, concrete, and efficient safety tests. It also allows the free dissemination of information and intellectual property.

History

From its inception in late 2000, OSSTMM grew rapidly to cover all security channels with the applied experience of thousands of collaborators.

For the year 2005, OSSTMM was not considered only as a framework of good practice. It had become a methodology to ensure the correct realization of safety at the operational level.

As security audits became the mainstream, the need for a solid methodology became critical.

In 2006, OSSTMM changed from defining tests based on solutions such as firewall tests and router tests to a standard for those who need a reliable security test instead of just a compliance report for specific legislation or regulation.

Features of OSSTMM

Environments are significantly more complex compared to previous years due to events as remote operations, virtualization, cloud computing. And also other new types of infrastructure can not think of testing only simple for desktops, servers, or routing equipment.

  • Therefore, version 3, OSSTMM test covers all human, physical, wireless, telecommunication and data networks channels.
  • This also makes it perfectly comfortable for testing cloud computing, virtual infrastructure, messaging middleware, infrastructure, mobile communication.
  • And also, locations of high security, human resources, reliable computing, and any logical process which covers all the various channels and requires a different kind of safety test.
  • A set of the metrics attack surface, called ravs, provides a powerful and highly flexible tool that provides a graphical representation of the state and shows status changes through time.
  • This integrates well with a “dashboard” that is beneficial to management and internal. And also external tests, allowing comparison/combination of the two.
  • It can do the management of the quantitative risk from the report with the findings of the OSSTMM audit, providing an improved result due to free, more accurate results error.

However, you might find trust management proposed here than managing risk. OSSTMM includes information to plan the project, quantified results, and the rules of the contract for security audits.