Feeds

The man behind OSSTMM

Federico Biancuzzi sits down with open source manual creator Pete Herzog

  • alert
  • submit to reddit

The Essential Guide to IT Transformation

Pete Herzog, founder of ISECOM and creator of the Open Source Security Testing Methodology Manual (OSSTMM) talks with Federico Biancuzzi about the upcoming revision 3.0 of the OSSTMM.

Could you introduce yourself?

I'm Pete Herzog, managing director of ISECOM. I live in a small town in Catalonia just outside of Barcelona. It's also where I work part of the year. The other part of the year I work in the US. ISECOM is a non-profit, registered both here and in New York State, USA, with the aggressive mission to "make security make sense". Mostly that means fighting FUD and improving critical thinking skills in the realm of security which includes data and business integrity, development, safety, and trust. Many myths still surround security and only now we're starting to get enough people with open eyes making a difference. Unfortunately, there are still far too many parrots out there reciting what they heard about security, although it may no longer, if ever, be true or applicable.

Why do we need a security testing methodology? And why open source?

Without a security testing methodology, the actual test tends to be all over the place. One tester actually described this once to me as his test being "a mess" without it. The real answer is that a methodology is required to test anything thoroughly. As humans, we take short-cuts. We assume we know an answer or we know what's going on because of past experiences and we cut to the chase because time is money and all that. However, when that happens, we leave many unverified (unanswered) questions and report our assumptions as if they were facts. A good security methodology does not let you do that. A good open source methodology means that many many people don't let you do that. The open source concept actually means that anyone can contribute the ideas for thoroughness and it's not just up to one person, one group, or one authority. While not quite meritocratic as a meritocracy implies, we follow the person with more "wins." In other words, we are democratic as democracy works better for principles and ideas than facts. It is a successful peer review where our reviewers need to show how they got their answers.

How did the project for an Open Source Security Testing Methodology Manual (OSSTMM) start?

ISECOM began in January 2001 with the OSSTMM. Actually, the OSSTMM created ISECOM. The truth is really that I wanted to create a plan on how to test security because I didn't think it was being done right and I wanted to improve it. So I searched the net only to find everyone referring to this proprietary methodology they have that's so great. But I couldn't know because I couldn't see it. I was suspicious that it was true because I had seen the reports of some of the companies that said that they had some great proprietary methodology and there was nothing special about what was essentially vulnerability scanner outputs re-dressed as reports. So once I finished something, I posted it to the web and asked the public to give feedback. I had no idea that I was not the only one in need of such a thing. So here we are, five years later and the OSSTMM is at around four million downloads since its inception - with legislation requiring its use in some countries and some government employees and contractors around the world being required to be certified in it just to prove they can really do their jobs. And it's still growing at a fast and shiny pace. We're trying to staff-up to handle this all but that's a problem in itself.

Why did you create a certification process too?

The certification process evolved. A need happened which was to do security testing reliably. There are a lot of people with these knowledge certs (the kind that requires knowing or memorizing something) and they didn't seem to get it. They just all made these horrible mistakes when it came to testing. Oh sure, they poked holes and penetrated but were completely incapable of actually really testing security. It was like they tried to light up all the holes in Swiss cheese with a pocket flashlight from 100 meters away. Sure, some holes got exposed but so many more didn't. So we decided to make sure that if we did a certification that it would have to ask the candidates to prove what they know by doing something. So we made the first walk-the-walk security certification of its kind. I'm happy we did it because it adds professionalism and legitimacy to this actually nascent field of security testing. Now it's not sparkly or fancy like certifications on penetration testing or ethical hacking because it's about getting the job done. It's hard work to pass them. It's the difference between rolling up your sleeves to work better and rolling them up to look like you are working. We prefer to help those who really need security and not just look like they have it for compliancy reasons. Then again, we've come so far with only word of mouth so I know we are doing something right.

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Tor attack nodes RIPPED MASKS off users for 6 MONTHS
Traffic confirmation attack bared users' privates - but to whom?
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Maximize storage efficiency across the enterprise
The HP StoreOnce backup solution offers highly flexible, centrally managed, and highly efficient data protection for any enterprise.