Now there is some good news as the Open Source body The Idea Hamster Organisation are developing industry standards for security testing with the Open Source Security Testing Methodology Manual (OSSTMM).
Ideahamster started last year with the aim of introducing standards to make the comparison of security products easier. The members include security experts and developers who like the rest of us had grown tired of seeing poor quality security testing methodologies. The main objective is to deliver a security testing methodology that sets the standards for security testing no matter what the size of organisation, environment or vendor.
The development of a standard will avoid the current situation where security companies use a number of different methodologies all of which produce different results and are of unknown quality.
Anyone following the outline requirements in the manual can claim to have completed a successful security snapshot, which if nothing else is thorough. The term snapshot is used to reflect the ever changing configuration of today's IT environment
Pete Herzog, ex IBM ethical hacker, heads up the development group and claims that he chose the open source route, as he believed a standard methodology would be far more widely approved through peer recognition and input into its design.
Included in the manual is a sample report that contains all the elements that must be considered and tested for the testing to meet the OSSTMM compliancy clause, data collection templates and several other OSSTMM standard testing instruments.
The acid test of any methodology is it's general acceptance and recognition within the industry. Ideahamster have been sensible to follow the Open Source model, as they rightly point out it will promote acceptance. As we all know there are standards and standards, again the benefit of the Open Source approach is that the OSSTMM can be developed to reflect the on going changes in the technology being used today, rather than IT as it stood when the development started.
So, it looks as though we have the starting of another exciting new Open Source project. As security becomes an increasingly important issue for the enterprise, having a trusted point of reference becomes necessary. Who knows, maybe someone will apply OSSTMM and be able to tell us all which is the most secure operating system?
News source: IT-Director - Open Source gets security standards