OSSTMM version 3 coming soon?

In a previous life, I was a computer security specialist.  I had a really cool job, and worked with really, really damn cool people (hi Gerald, Doug, Jon, et al).  I read (a tiny fraction of) all the cool security news.  I kept up to date on as many security topics as I could.  I read security books.  I studied a lot of security web sites.  I took training from SANS.  I subscribed to a few security mailing lists, although much of the detail in many vulnerability announcements messages was above my understanding.

But in all that reading, research, study, training, and other learning, one of the coolest things I ever consumed was the OSSTMM project. Rather than try to explain this project, I’ll just snag the introductory text from the project home site:

The Open Source Security Testing Methodology Manual (OSSTMM) is a peer-reviewed methodology for performing security tests and metrics. The OSSTMM test cases are divided into five channels (sections) which collectively test: information and data controls, personnel security awareness levels, fraud and social engineering control levels, computer and telecommunications networks, wireless devices, mobile devices, physical security access controls, security processes, and physical locations such as buildings, perimeters, and military bases.

The OSSTMM focuses on the technical details of exactly which items need to be tested, what to do before, during, and after a security test, and how to measure the results. New tests for international best practices, laws, regulations, and ethical concerns are regularly added and updated.

The version I read when I first found this was 2.2.  It has been years since I used it, and I periodically check in for updates on the version 3.0 release.  I haven’t seen an update on the web site, and I’m not a team member/subscriber to the service, so I didn’t expect I would know unless I checked in on my own.  Well tonight, while catching up on email, I get this message from the project:


Maybe you forgot us 😉 Six years is a long time to work on a single version of a project. That time is coming to an end and the OSSTMM 3 has been fully researched, completely re-written, and is nearly ready for press.

OSSTMM RC15, the Beta draft has just been uploaded for Silver Team members and OSSTMM RC20, the Alpha draft has just been uploaded for the Gold Team, partners, and team members.

All tests have been fully edited as well as most chapters. It contains the new, more usable format and descriptive content with greater explanations to make it easier to use. It also includes a full chapter
on Analysis.

Only a few chapters are missing. Chapter on RAV Calculations is still partially unedited and the Trust Metrics chapter is still incomplete. End chapters for templates and other extras are still incomplete. The unedited and incomplete chapters have been clearly labeled for completion.

We have a full color cover with an animal symbol ready to go, an OSSTMM security picture for the back cover, templates, and many graphics still to be added for the public version. Further examples,
graphics, and tips and tricks will go into the print version.

It feels so good to be so close to completing this version!


I’m really looking forward to getting this update. As a non-member, I know I will still have to wait. But as a consumer of all things open source, I expect it to be worth it. And I intend to review the final version and try to offer feedback, in the manner I hope most open source consumers at least try to do. Even if I have nothing to offer, I believe just making an honest effort to contribute is an important part of being in the community.  If I were still actively in security, I would probably subscribe, but it’s hard to justify the expense at this moment since I’m not doing security any more (but would like to – hint, hint)

If you are in to computer security at all, I can recommend the OSSTMM as a good resource for testing guidance.

[tags]OSSTMM, Open Source security, Security[/tags]