tag:blogger.com,1999:blog-14341616.post8726130387966406518..comments2023-06-03T07:28:31.320-03:00Comments on Wagner Elias - Think Security First: OSSTMM e ISO/IEC 15.408 dois problemas que nós mesmos criamosWagner Eliashttp://www.blogger.com/profile/12112223055992436997noreply@blogger.comBlogger4125tag:blogger.com,1999:blog-14341616.post-32728939993277779872010-08-26T11:39:12.000-03:002010-08-26T11:39:12.000-03:00I think you're confusing what people say and w...I think you're confusing what people say and what ISECOM says. The OSSTMM is a methodology for security testing, of which, penetration testing is a subset. Penetration testing is about exploiting vulnerabilities and mistakes to prove that a certain depth and breadth can be reached. If you limit the OSSTMM in many ways and provide a black box test then yes, it can be used for penetration testing but that's not what it's made for. Actually, it was made to replace the limited and fairly useless penetration test which puts customers on a patch/test loop and scales very poorly to large infrastructures. <br><br>OSSTMM 2.2 was the completed version of the 2 series and has been released for a couple now. OSSTMM 3 is still incomplete but to say it's always improving shouldn't be a negative thing. When the next version is completed then its released publicly for free like all the others. Right now, contributors on any ISECOM project get free access to the OSSTMM 3 draft as well as supporters who pay because they don't have the time to work on it. We've even give the draft to government researchers and student thesis writers who ask for free. So if you want to help us, and we do need help, you'd have access too. I don't see that as marketing- I see that as fair. <br><br>You, and a few others, do a lot of complaining about when the OSSTMM 3 will come out and what it is no good for but none of the complainers ever decided to contribute to improve it. So I'm really sorry you feel this way but it's really only up to you to do something about it.Pete Herzoghttp://www.isecom.orgnoreply@blogger.comtag:blogger.com,1999:blog-14341616.post-81869630085267661322010-08-26T17:47:53.000-03:002010-08-26T17:47:53.000-03:00My post deals as some Brazilian professionals refe...My post deals as some Brazilian professionals refer to methodology and not to the OSSTMM represents.<br><br>You told: "If you limit the OSSTMM in many ways and provide a black box test then yes, it can be used for penetration testing but that’s not what it’s made for".<br><br>Respect your work, but I do not feel comfortable in contributing to a project that a strong commercial appeal and is much more FREE (http://books.google.com/books?id=lLZbXN2odVYC&printsec=frontcover&source=gbs_navlinks_s) and not much Open.Elias Wagnernoreply@blogger.comtag:blogger.com,1999:blog-14341616.post-56442526831975436582010-08-27T04:37:01.000-03:002010-08-27T04:37:01.000-03:00Okay, I thought you meant we said it. I'm sorr...Okay, I thought you meant we said it. <br><br>I'm sorry you don't want to contribute to anything that needs to advertise itself. But pretty much every organization needs to do that. As far as the openness is concerned I think you have your facts wrong again. It was open for years via a Moodle and only became contributors-only in the last 2 years because of many misunderstandings. You forget that it is a standard, referenced by ISO and NIST, and we had problems with drafts being used as final versions and critics who said that OSSTMM can't be used because it's only a draft. So to fix that, we made a small hurdle to get a copy and make clear that it is indeed a draft. <br><br>But just saying no you don't want to contribute because of the OSSTMM is also not fair. We run many other projects as well that are more open and free as you want which you could contribute to and then get access to the OSSTMM. hackerhighschool.org, badpeopleproject.org, SCARE, SOMA, etc.Pete Herzoghttp://www.isecom.orgnoreply@blogger.comtag:blogger.com,1999:blog-14341616.post-66902456798912855372010-08-27T06:37:04.000-03:002010-08-27T06:37:04.000-03:00Hi Pete,really, I did not know that the project ha...Hi Pete,<br><br>really, I did not know that the project had been opened and closed for the reasons you mentioned.<br><br>I used, I studied the OSSTMM for a long time, but I have not seen the evolution. Maybe in the wrong place, I subscribe to the mailing list.<br><br>I can participate and help, but i need more information, access to the development process and publication. What I question about the Open Source model is a value that is charged for access, which in my understanding is not open.<br><br>But as I said, I respect his work and you must have his reasons for following this model.<br><br>Cheers.Elias Wagnernoreply@blogger.com