Feeds

The man behind OSSTMM

Federico Biancuzzi sits down with open source manual creator Pete Herzog

  • alert
  • submit to reddit

Remote control for virtualized desktops

Pete Herzog, founder of ISECOM and creator of the Open Source Security Testing Methodology Manual (OSSTMM) talks with Federico Biancuzzi about the upcoming revision 3.0 of the OSSTMM.

Could you introduce yourself?

I'm Pete Herzog, managing director of ISECOM. I live in a small town in Catalonia just outside of Barcelona. It's also where I work part of the year. The other part of the year I work in the US. ISECOM is a non-profit, registered both here and in New York State, USA, with the aggressive mission to "make security make sense". Mostly that means fighting FUD and improving critical thinking skills in the realm of security which includes data and business integrity, development, safety, and trust. Many myths still surround security and only now we're starting to get enough people with open eyes making a difference. Unfortunately, there are still far too many parrots out there reciting what they heard about security, although it may no longer, if ever, be true or applicable.

Why do we need a security testing methodology? And why open source?

Without a security testing methodology, the actual test tends to be all over the place. One tester actually described this once to me as his test being "a mess" without it. The real answer is that a methodology is required to test anything thoroughly. As humans, we take short-cuts. We assume we know an answer or we know what's going on because of past experiences and we cut to the chase because time is money and all that. However, when that happens, we leave many unverified (unanswered) questions and report our assumptions as if they were facts. A good security methodology does not let you do that. A good open source methodology means that many many people don't let you do that. The open source concept actually means that anyone can contribute the ideas for thoroughness and it's not just up to one person, one group, or one authority. While not quite meritocratic as a meritocracy implies, we follow the person with more "wins." In other words, we are democratic as democracy works better for principles and ideas than facts. It is a successful peer review where our reviewers need to show how they got their answers.

How did the project for an Open Source Security Testing Methodology Manual (OSSTMM) start?

ISECOM began in January 2001 with the OSSTMM. Actually, the OSSTMM created ISECOM. The truth is really that I wanted to create a plan on how to test security because I didn't think it was being done right and I wanted to improve it. So I searched the net only to find everyone referring to this proprietary methodology they have that's so great. But I couldn't know because I couldn't see it. I was suspicious that it was true because I had seen the reports of some of the companies that said that they had some great proprietary methodology and there was nothing special about what was essentially vulnerability scanner outputs re-dressed as reports. So once I finished something, I posted it to the web and asked the public to give feedback. I had no idea that I was not the only one in need of such a thing. So here we are, five years later and the OSSTMM is at around four million downloads since its inception - with legislation requiring its use in some countries and some government employees and contractors around the world being required to be certified in it just to prove they can really do their jobs. And it's still growing at a fast and shiny pace. We're trying to staff-up to handle this all but that's a problem in itself.

Why did you create a certification process too?

The certification process evolved. A need happened which was to do security testing reliably. There are a lot of people with these knowledge certs (the kind that requires knowing or memorizing something) and they didn't seem to get it. They just all made these horrible mistakes when it came to testing. Oh sure, they poked holes and penetrated but were completely incapable of actually really testing security. It was like they tried to light up all the holes in Swiss cheese with a pocket flashlight from 100 meters away. Sure, some holes got exposed but so many more didn't. So we decided to make sure that if we did a certification that it would have to ask the candidates to prove what they know by doing something. So we made the first walk-the-walk security certification of its kind. I'm happy we did it because it adds professionalism and legitimacy to this actually nascent field of security testing. Now it's not sparkly or fancy like certifications on penetration testing or ethical hacking because it's about getting the job done. It's hard work to pass them. It's the difference between rolling up your sleeves to work better and rolling them up to look like you are working. We prefer to help those who really need security and not just look like they have it for compliancy reasons. Then again, we've come so far with only word of mouth so I know we are doing something right.

Remote control for virtualized desktops

More from The Register

next story
Webcam hacker pervs in MASS HOME INVASION
You thought you were all alone? Nope – change your password, says ICO
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
Meet OneRNG: a fully-open entropy generator for a paranoid age
Kiwis to seek random investors for crowd-funded randomiser
USB coding anarchy: Consider all sticks licked
Thumb drive design ruled by almighty buck
Attack reveals 81 percent of Tor users but admins call for calm
Cisco Netflow a handy tool for cheapskate attackers
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
prev story

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Choosing a cloud hosting partner with confidence
Download Choosing a Cloud Hosting Provider with Confidence to learn more about cloud computing - the new opportunities and new security challenges.
New hybrid storage solutions
Tackling data challenges through emerging hybrid storage solutions that enable optimum database performance whilst managing costs and increasingly large data stores.