The Vacuity of the Open Source Security Testing Methodology Manual

10/13/2020
by   Martin R. Albrecht, et al.
0

The Open Source Security Testing Methodology Manual (OSSTMM) provides a "scientific methodology for the accurate characterization of operational security" [Her10, p.13]. It is extensively referenced in writings aimed at security testing professionals such as textbooks, standards and academic papers. In this work we offer a fundamental critique of OSSTMM and argue that it fails to deliver on its promise of actual security. Our contribution is threefold and builds on a textual critique of this methodology. First, OSSTMM's central principle is that security can be understood as a quantity of which an entity has more or less. We show why this is wrong and how OSSTMM's unified security score, the rav, is an empty abstraction. Second, OSSTMM disregards risk by replacing it with a trust metric which confuses multiple definitions of trust and, as a result, produces a meaningless score. Finally, OSSTMM has been hailed for its attention to human security. Yet it understands all human agency as a security threat that needs to be constantly monitored and controlled. Thus, we argue that OSSTMM is neither fit for purpose nor can it be salvaged, and it should be abandoned by security professionals.

READ FULL TEXT

page 1

page 2

page 3

page 4

research
03/03/2020

SoK: A Survey of Open Source Threat Emulators

Threat emulators are tools or sets of scripts that emulate cyber-attacks...
research
05/08/2020

Human Error in IT Security

This paper details on the analysis of human error, an IT security issue,...
research
08/06/2022

PREPRINT: Can the OpenSSF Scorecard be used to measure the security posture of npm and PyPI?

The OpenSSF Scorecard project is an automated tool to monitor the securi...
research
05/15/2018

Securing Open Source Clouds Using Models

The widespread adoption of cloud computing has resulted in the prolifera...
research
10/16/2020

SAIBERSOC: Synthetic Attack Injection to Benchmark and Evaluate the Performance of Security Operation Centers

In this paper we introduce SAIBERSOC, a tool and methodology enabling se...
research
09/18/2023

Applying Security Testing Techniques to Automotive Engineering

The openness of modern IT systems and their permanent change make it cha...

Please sign up or login with your details

Forgot password? Click here to reset