Developers 'sick of reading bland descriptions'
vnunet.com, 18 Feb 2002
A group of open source developers dedicated to introducing an industry standard on security testing will be releasing the fruits of their labours later this month.
Ideahamster.org started working on the Open Source Security Testing Methodology Manual (OSSTMM ) last year after becoming "sick of reading bland testing methodology descriptions".
The group, which includes security experts and developers, claimed that the introduction of an industry standard on security testing would make it easier for users to judge security products.
Security firms currently use a number of different methodologies for testing, often producing a variety of results.
Ideahamster pointed out that descriptions of security testing methodology were often of the "we use unique, in-house developed methodology and scanning tools" ilk, or were "bland or secret".
Pete Herzog, heading up the development group, said that the focus of the project is to set a standard whereby "any network or security expert who meets the outline requirements in this manual is said to have completed a successful security snapshot and therefore, if nothing else, has been thorough."
Herzog chose the open source route for the project because he claims that a standardised methodology would be better recognised if "you, your colleagues, and your fellow professionals have helped design it and write it."
On the release announcement, Herzog wrote: "I have been able to integrate most of the submissions, corrected flow for new procedures, new laws, and new tasks. I have integrated security metrics, risk assessments, and included sections which will better guide testing.
"Included is a template of a sample report which contains all the elements which MUST appear in a report to carry an OSSTMM compliancy clause, data collection templates, and a few other OSSTMM standard testing instruments."
At the time of its conception, the OSSTMM was welcomed by security experts who backed the move to introduce a standard, although there was some concern over whether the project would receive enough industry support to survive.
Latest developments on the Open Source Security Testing Methodology Manual can be found here.
A group of security developers has called for an industry standard for internet security testing.
V3.co.uk gets a walk through of the Hero, which includes HTC's new Sense overlay for Android
First Looks Editor Ian Williams gets hands on with the Sony Ericsson Xperia X1
NetGear's four-bay compact network-attached storage gets a serious speed boost
Do you agree?
Have your say on this article