Developers call for web security standard

A group of security developers has called for an industry standard for internet security testing.

The group, called Ideahamster, which includes a mixture of security experts and developers, has suggested that the introduction of such a standard would make it easier for users to judge security products. Security firms currently use a number of different methodologies for testing their products.

Members of the group said the idea of the Open Source Security Testing Methodology Manual was spawned after they became "sick of reading bland testing methodology descriptions".

The homepage for the manual has been set up at Ideahamster.org and the development group is hosted by security resource site Sourceforge.net.

Group member Pete Herzog said that the focus of the manual "is to set forth a standard for internet security testing. Regardless of firm size, finance capital and vendor backing, any network or security expert who meets the outline requirements in this manual is said to have completed a successful security snapshot and therefore, if nothing else, has been thorough."

Herzog added: "All security information I found on the internet regarding a methodology was either bland or secret. For example: 'We use unique, in-house developed methodology and scanning tools'. This was a phrase found often."

"I remember once giving the advice to a chief information officer that if a security tester tells you his tools include ISS, Cybercop, and 'proprietary, in-house developed tools' you can be sure he mainly uses ISS and Cybercop," he said.

On this basis a standardised methodology would be formed, which everyone could help develop. "And if you need to know why you should recognise it - whether or not you follow it to the letter - it is because you, your colleagues, and your fellow professionals have helped design it and write it," said Herzog.

The concept was welcomed by Paul Rogers, a security analyst with consultancy MIS, who said that Ideahamster was taking a very unique stance in attempting to make security recommendations open source.

Although the movement has only just kicked off, Rogers believed that it would need a lot of support from the industry to survive.

"Some sort of standard is definitely needed," he said. "If you go to two different companies for a security audit you could get two very different sets of results. I would like to see this take off and I put my support behind it."

Rogers was enthusiastic about the industry support the manual could obtain. "Over the next 12 months governments and businesses will realise there is a definite need for a standard, especially as the importance of security is realised," he explained.