The man behind OSSTMM

Would you like to provide more details?

ISECOM has been tapped by the OpenTC project to create the open methodology for testing and assuring integrity in systems using the Trusted Platform Module (TPM). We will use the community effort to get people to take control of the TPM on their motherboards through the creation of tests and processes governing usage, maintenance, application, and integrity. OpenTC is a big project funded by the EU and includes 23 universities and companies like AMD, Infineon, HP, IBM, and SUSE. As much as we all have a love-hate relationship with DRM, with most end-user's feelings being toward hate, we need to take control of that little chip on the motherboard. For example, there are no decent tools out there now that can tell us anything about the chip on our running computers and even less on telling us what's there or how to delete it. It's important that open collaboration steps up to do something about this and even more important if we have the approval of the big corporate suppliers through the OpenTC consortium.

Another area of interest is the vulnerability scanner. We're beginning a project to design an open source scanner that scales to large numbers while maintaining accuracy. We have some bright minds working on this already and we'd like to take this to the next level by not following the way things have been done. What we found is that in security testing, if we rely too much on precedent then we'll never be prepared for the unexpected.

Could you add some technical details about the vulnerability scanner?

The vulnerability scanner will first and foremost not be a vulnerability scanner per se as we know it. We are looking to make a security auditor that calculates the security metrics as based on OSSTMM 3.0.

Most people are already asking how it will compare to Nessus. It is not expected to compete on the same level of Nessus nor replace it. I mean let's face it, for what it's designed for, Nessus is really the cat's pyjamas. We just need a different approach for our tests.

First, we will deliver the methodology - the framework for it. This will allow it to be initially drafted with existing free and open source tools while applying the rule base and open methodology. We may provide a proof of concept with it to aide in improvement. Meanwhile, we do have already current development work being done on the scanner by three separate groups, each with a different goal. If any one of them decides to move towards being the scanner for this project then great! If not, with the PoC and methodology in place, we should be able to leverage development somewhere fairly easily.

Don't expect a Beta until after the summer. But OPST students may see versions of it in class as early as May.

This article originally appeared in Security Focus.

Copyright © 2006, SecurityFocus

Federico Biancuzzi is freelancer; in addition to SecurityFocus he also writes for ONLamp, LinuxDevCenter, and NewsForge.