this is partly a re-post of my blog at kamerazukleber.tumblr.com:

I am following many discussions on pentesting, including that one in @pauldotcom EP225. About how customers order pentests for the wrong reason (compliance checkboxing), how the word “pentest” has lost it’s original meaning and the question what we should call it instead, what penetration testing shall concentrate on, how the results shall be presented, about how the right rules of engagement can guide clients to better understand what the test is all about, about how shall be tested, about whether or not blackbox tests are good or not so good, about what metrics shall be used in order to assign weighted impact to different findings, about what methodologies could be used for penetration testing so that it takes into account the business, its organization and the existence or absence of appropriate controls…. STOP! Guys, you really should read the OSSTMMv3. I don’t say it’s perfect, but it has many answers to many questions that I am hearing being discussed over and over again with little tangible results so far. You should thoroughly read it, ask the creator @isecom questions if some things are unclear (as I said, it’s not perfect and many details in my opinion need further explanation).

After you have done this, you should discuss it in your podcasts, blogposts and so on. Give it a try. It’s worth it, even if you still decide that it’s not the methodology you want to use afterwards.

But the process of discussing an existing, thought through methodology and comparing it to other methodologies (if there are any of that kind at all) would be a good thing in itself as it would push the discussion to another level. 

Just do it! And give @peteherzog and all the people that helped developing the methodology credit by at least really reading and constructively discussing it.

 

OSSTMMv3: http://www.isecom.org/mirror/OSSTMM.3.pdf


Disclaimer: I am a certified OPST (OSSTMM professional security tester) but I am not affiliated or associated with ISECOM.

I really don't care about my certification and I don't even think the OSSTMMv3 is the ultimate methodology. But let's just PLEASE discuss what's in there and how we can use it - or not. If you think it's crap, please let the infosec community know your alternatives. We should really work together on a good security testing methodology or standard. 

Views: 227

Comment

You need to be a member of Dissecting The Hack to add comments!

Join Dissecting The Hack

Comment by Dennis Lemckert on February 26, 2011 at 4:22am
Downloaded and on the 'to read' list. I'll get back on it

Latest Activity

bernardorichard is now a member of Dissecting The Hack
Oct 24
Steve Brandidge is now a member of Dissecting The Hack
Aug 29
Dave posted a status
"Thanks for letting me join. Looking into learning how to pentest mobile apps, as this seems to be the road less hacked!"
Jul 24
Dave is now a member of Dissecting The Hack
Jul 24

© 2018   Created by Marcus J. Carey.   Powered by

Badges  |  Report an Issue  |  Terms of Service