Pete Herzog, Founder of ISECOM, will be discussing the revised Open Source Security Testing Methodology Manual (OSSTMM v3) and how it applies to web application security today (10-13-2010) in Raleigh, NC.
Pete rarely gets to the US, so this is a unique opportunity for security professionals to have an open discussion with him about trust-based security models and how to apply sound logic to securing and testing web applications.
"About 5 years ago, while searching for any existing methodologies, I stumbled across ISECOM and the Open Source Security Testing Methodology Manual. It changed the way my company and I engaged with clients at every angle," Michael Menefee of WireHead Security recently wrote.
"As a security consultant, I've always looked for ways to increase consistency, efficiency and value when conducting security analysis on a client's network or business," Menefee stated. "This would, of course, require both a data collection methodology as well as a reporting methodology in order to work properly."
The OSSTMM is a peer-reviewed methodology for performing security tests and metrics, and the test cases are divided into five channels (sections) which collectively test: information and data controls, personnel security awareness levels, fraud and social engineering control levels, computer and telecommunications networks, wireless devices, mobile devices, physical security access controls, security processes, and physical locations such as buildings, perimeters, and military bases.
On the origins of the OSSTMM, Pete Herzog wrote that, "in the research for factual security metrics, factual trust metrics and reliable, repeatable ways for verifying security, including concretely defining security, we found that the practice of guessing forecasting risk was not only non-factual but also backwards. Risk stuck us into a never-ending game of cat and mouse with the threats."
"Beginning with version 3, the OSSTMM is no longer just about security testing. The break-throughs we've had in security had us re-visit how we work with security. This includes risk assessments."
Christoph Baumgartner, CEO of OneConsult GmbH in Switzerland - whose firm has been using the OSSTMM methodology since its inception - recently commented on the value proposition the methodology standard offers, stating that, "the most important aspect is that we have an easier time keeping our clients. Most of the companies and organizations which order security audits on a regularly basis are fairly well organized and have a strong interest in gaining and keeping an adequate level of security."
"Having the attack surface metrics, the ravs, means that they can watch trends and keep a close eye on how changes in operations affect their security directly. I can definitely confirm that many of our clients who have to change the supplier for security policy reasons expect their future suppliers to apply the OSSTMM."
OSSTMM was developed by the Institute for Security and Open Methodologies (ISECOM), a non-profit collaborative community established in January 2001.
In the 1980s and 1990s, business applications and data were largely confined within and protected by a Local Area Network (LAN). The 2000s introduced a significant change. Download this white paper now to learn why the shift to the cloud is changing how companies think about and manage their IT infrastructure. more
Microsoft moved to the cloud in 2014, and, as a result, Office 365 is taking off. Now, Okta customers are connecting to Office 365 in increasing numbers. This eGuide explains why IT departments should plan and deploy solutions around identity and mobility management in concert with their Office 365 roll out to get maximum user adoption. more
For most companies, Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) play a central role in coordinating identity and access management policies. When on-premise applications are integrated to Active Directory or LDAP, users get the best possible experience. That's why Okta's cloud-based identity and access management service provides a highly useful single integration point. more
With more and more businesses adopting Software-as-a-Service (SaaS) applications, enterprise IT is fundamentally changing. This whitepaper presents the eight biggest Identity and Access Management (IAM) challenges associated with adopting and deploying cloud and SaaS applications, and discusses best practices for addressing each of them. more