7.3 The Open Source Security Testing Methodology Manual 201
Chapter 7
Like that child in the parable, the security tester must question
the world as they see it. They see what is to be seen and then
probe, poke, and otherwise test what they see and take note of
what occurs in an unbiased way. Anything else would taint the
results. For this reason, it’s important that beginning security
testers see themselves as mad scientists—pariahs with unconven-
tional means, experimenting on what no one else dares. Mad sci-
entists, as we’re told from the movies, approach their subjects with
great knowledge and curiosity under a strict, repetitive methodol-
ogy, but are creative as hell where the methodologies end. It’s no
wonder, then, that security testing appeals to both the good and
the bad. The security industry is incredibly wide and therefore,
just as wide, is the industry of those to test that security.
An Internet security test is no more than a view of a system at a single
moment in time. As we have stated previously, periodic, frequent reviews of
security, or multiple snapshots over time, will likely increase the security
posture of an organization dramatically. However, the caveat to this
increased security posture is an assumption that the vulnerabilities found in
security testing are acted upon in a timely manner. OSSTMM provides
more than a just a snapshot, if followed correctly. Herzog advocates a more
holistic approach, which he refers to as the scattershot effect. This effect is
seen when security practitioners execute various tests on the less dynamic
components in an organization (e.g., PBX systems, automated door locks,
etc.) that offer a longer security value than a simple snapshot, because the
degradation of security for those components and the recommended cycle
of testing is much longer than for other components. For instance, it may
be necessary to scan ports every eight days to remain in a 10% risk level,
where testing the PBX is only necessary once every six months to remain in
the same 10% risk level. So where a security test of the hosts may last a
week, the test of the communications systems may last much longer. This
approach deals with the issue of organizational security in a holistic
approach, rather than the conventional treat-the-symptom approach used
by many organizations.
OSSTMM strives to become a central standard for security testing. Her-
zog believes that by following an open-source, standardized methodology,
participants can make a valuable contribution to Internet security. We tend
to agree with him.