Feeds

The man behind OSSTMM

Federico Biancuzzi sits down with open source manual creator Pete Herzog

  • alert
  • submit to reddit

The essential guide to IT transformation

Pete Herzog, founder of ISECOM and creator of the Open Source Security Testing Methodology Manual (OSSTMM) talks with Federico Biancuzzi about the upcoming revision 3.0 of the OSSTMM.

Could you introduce yourself?

I'm Pete Herzog, managing director of ISECOM. I live in a small town in Catalonia just outside of Barcelona. It's also where I work part of the year. The other part of the year I work in the US. ISECOM is a non-profit, registered both here and in New York State, USA, with the aggressive mission to "make security make sense". Mostly that means fighting FUD and improving critical thinking skills in the realm of security which includes data and business integrity, development, safety, and trust. Many myths still surround security and only now we're starting to get enough people with open eyes making a difference. Unfortunately, there are still far too many parrots out there reciting what they heard about security, although it may no longer, if ever, be true or applicable.

Why do we need a security testing methodology? And why open source?

Without a security testing methodology, the actual test tends to be all over the place. One tester actually described this once to me as his test being "a mess" without it. The real answer is that a methodology is required to test anything thoroughly. As humans, we take short-cuts. We assume we know an answer or we know what's going on because of past experiences and we cut to the chase because time is money and all that. However, when that happens, we leave many unverified (unanswered) questions and report our assumptions as if they were facts. A good security methodology does not let you do that. A good open source methodology means that many many people don't let you do that. The open source concept actually means that anyone can contribute the ideas for thoroughness and it's not just up to one person, one group, or one authority. While not quite meritocratic as a meritocracy implies, we follow the person with more "wins." In other words, we are democratic as democracy works better for principles and ideas than facts. It is a successful peer review where our reviewers need to show how they got their answers.

How did the project for an Open Source Security Testing Methodology Manual (OSSTMM) start?

ISECOM began in January 2001 with the OSSTMM. Actually, the OSSTMM created ISECOM. The truth is really that I wanted to create a plan on how to test security because I didn't think it was being done right and I wanted to improve it. So I searched the net only to find everyone referring to this proprietary methodology they have that's so great. But I couldn't know because I couldn't see it. I was suspicious that it was true because I had seen the reports of some of the companies that said that they had some great proprietary methodology and there was nothing special about what was essentially vulnerability scanner outputs re-dressed as reports. So once I finished something, I posted it to the web and asked the public to give feedback. I had no idea that I was not the only one in need of such a thing. So here we are, five years later and the OSSTMM is at around four million downloads since its inception - with legislation requiring its use in some countries and some government employees and contractors around the world being required to be certified in it just to prove they can really do their jobs. And it's still growing at a fast and shiny pace. We're trying to staff-up to handle this all but that's a problem in itself.

Why did you create a certification process too?

The certification process evolved. A need happened which was to do security testing reliably. There are a lot of people with these knowledge certs (the kind that requires knowing or memorizing something) and they didn't seem to get it. They just all made these horrible mistakes when it came to testing. Oh sure, they poked holes and penetrated but were completely incapable of actually really testing security. It was like they tried to light up all the holes in Swiss cheese with a pocket flashlight from 100 meters away. Sure, some holes got exposed but so many more didn't. So we decided to make sure that if we did a certification that it would have to ask the candidates to prove what they know by doing something. So we made the first walk-the-walk security certification of its kind. I'm happy we did it because it adds professionalism and legitimacy to this actually nascent field of security testing. Now it's not sparkly or fancy like certifications on penetration testing or ethical hacking because it's about getting the job done. It's hard work to pass them. It's the difference between rolling up your sleeves to work better and rolling them up to look like you are working. We prefer to help those who really need security and not just look like they have it for compliancy reasons. Then again, we've come so far with only word of mouth so I know we are doing something right.

Next gen security for virtualised datacentres

More from The Register

next story
e-Borders fiasco: Brits stung for £224m after US IT giant sues UK govt
Defeat to Raytheon branded 'catastrophic result'
Snowden on NSA's MonsterMind TERROR: It may trigger cyberwar
Plus: Syria's internet going down? That was a US cock-up
Who needs hackers? 'Password1' opens a third of all biz doors
GPU-powered pen test yields more bad news about defences and passwords
Think crypto hides you from spooks on Facebook? THINK AGAIN
Traffic fingerprints reveal all, say boffins
Rupert Murdoch says Google is worse than the NSA
Mr Burns vs. The Chocolate Factory, round three!
Microsoft cries UNINSTALL in the wake of Blue Screens of Death™
Cache crash causes contained choloric calamity
Germany 'accidentally' snooped on John Kerry and Hillary Clinton
Dragnet surveillance picks up EVERYTHING, USA, m'kay?
prev story

Whitepapers

5 things you didn’t know about cloud backup
IT departments are embracing cloud backup, but there’s a lot you need to know before choosing a service provider. Learn all the critical things you need to know.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Rethinking backup and recovery in the modern data center
Combining intelligence, operational analytics, and automation to enable efficient, data-driven IT organizations using the HP ABR approach.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.