What is the OSSTMM?

The Open Source Security Testing Methodology Manual, or OSSTMM, was created to:

provide a scientific methodology for the accurate characterization of operational security (OpSec) through examination and correlation of test results in a consistent and reliable way. This manual is adaptable to almost any audit type, including penetration tests, ethical hacking, security assessments, vulnerability assessments, red-teaming, blue teaming, and so forth. It is written as a security research document and is designed for factual security verification and presentation of metrics on a professional level.

The manual is an open source product that is peer reviewed by security experts around the world. It was developed and is maintained by The Institute for Security and Open Methodologies (ISECOM) which is an open, security research community providing original resources, tools, and certifications in the field of security.

What does the OSSTMM cover?

The OSSTMM covers everything from what you need to know about your security program, what you need to do with your security program, how to create metrics for your security program, and perhaps the most important, how to test you security program. Below are the 5 areas of testing covered:

  1. Human Security Testing
  2. Physical Security Testing
  3. Wireless Security Testing
  4. Telecommunications Security Testing
  5. Data Networks Security Testing

There are various ways to evaluate, measure, and test each and every one of these, whether it be through a penetration test, a gap analysis, a tabletop exercise, or some other form of testing.

The OSSTMM is a great resource for any information security or IT team, as well as security professionals focused on penetration testing and red team engagements. We highly recommend reviewing and incorporating anything that would help benefit your security program. Have any questions or interested in a security assessment? Please reach out to us today and we would be happy to assist.