An Information Security Community
I am following many discussions on pentesting, including that one in @pauldotcom EP225. About how customers order pentests for the wrong reason (compliance checkboxing), how the word “pentest” has lost it’s original meaning and the question what we should call it instead, what penetration testing shall concentrate on, how the results shall be presented, about how the right rules of engagement can guide clients to better understand what the test is all about, about how shall be tested, about whether or not blackbox tests are good or not so good, about what metrics shall be used in order to assign weighted impact to different findings, about what methodologies could be used for penetration testing so that it takes into account the business, its organization and the existence or absence of appropriate controls…. STOP! Guys, you really should read the OSSTMMv3. I don’t say it’s perfect, but it has many answers to many questions that I am hearing being discussed over and over again with little tangible results so far. You should thoroughly read it, ask the creator @isecom questions if some things are unclear (as I said, it’s not perfect and many details in my opinion need further explanation).
After you have done this, you should discuss it in your podcasts, blogposts and so on. Give it a try. It’s worth it, even if you still decide that it’s not the methodology you want to use afterwards.
But the process of discussing an existing, thought through methodology and comparing it to other methodologies (if there are any of that kind at all) would be a good thing in itself as it would push the discussion to another level.
Just do it! And give @peteherzog and all the people that helped developing the methodology credit by at least really reading and constructively discussing it.
Disclaimer: I am a certified OPST (OSSTMM professional security tester) but I am not affiliated or associated with ISECOM.
I really don't care about my certification and I don't even think the OSSTMMv3 is the ultimate methodology. But let's just PLEASE discuss what's in there and how we can use it - or not. If you think it's crap, please let the infosec community know your alternatives. We should really work together on a good security testing methodology or standard.