What You Need to Know About OSSTMM

by Sarah Harvey / October 3rd, 2019

What is the Open Source Security Testing Methodology Manual (OSSTMM)?

The Open Source Security Testing Methodology Manual, or OSSTMM, is a peer-reviewed methodology for security testing, maintained by the Institute for Security and Open Methodologies (ISECOM).

The manual is updated every six months or so, to remain relevant to the current state of security testing. ISECOM says its main objective with the OSSTMM is to provide a scientific process for the accurate characterization of operation security that can be used for penetration testing, ethical hacking, and other security testing. ISECOM focuses on verified facts to make sure that organizations using the OSSTMM for their own penetration testing methodologies can know they are making fact-based decisions.

The OSSTMM is used by KirkpatrickPrice to develop our advanced penetration testing services. Our penetration tests are reliable, effective, and thorough because they are ever influenced by the best sources in the industry. The OSSTMM allows KirkpatrickPrice to perform penetration tests that provide measurable and accurate results.

What makes up the OSSTMM? Which principles and channels are tested in the OSSTMM methodology?

Let’s examine the OSSTMM further.

5 OSSTMM Testing Channels & Methodology

The OSSTMM provides guidance on how to test the operational security of five channels so organizations can understand the full extent of their security and determine how well their security processes actually function. It’s about what your operations actually do, and not just what they are supposed to do.

These five channels include:

  1. Human Security: The security of human interaction and communication is evaluated operationally as a means of testing
  2. Physical Security: The OSSTMM tests physical security defined as any tangible element of security that takes physical effort to operate
  3. Wireless Communications: Electronic communications, signals, and emanations are all considered wireless communications that are part of the operational security testing
  4. Telecommunications: Whether the telecommunication network is digital or analog, any communication conducted over telephone or network lines are tested in the OSSTMM
  5. Data Networks: The security testing of data networks includes electronic systems and data networks that are used for communication or interaction via cable and wired network lines

The OSSTMM focuses on these five channels as important operational areas that need proper security testing to secure your organization. In our penetration testing methodology, we build upon these ideas to find any enterprise weaknesses and vulnerabilities that need to be further addressed.

That’s the value the OSSTMM brings to the table.

Pen Testing With the OSSTMM Methodology

Why is it important to test your security controls? Why should your organization spend time and money on penetration testing?

Well, when you choose to work with a quality auditing firm, you’re choosing to set your organization up to close the gaps in your security and catch the vulnerabilities before it costs you even more. According to the IBM Security 2019 Cost of a Data Breach Report, the average cost of a data breach in the United States is 8.9 million dollars.

Imagine what that cost could do to your organization.

It’s a cost you can avoid when you hire penetration testers that rely on quality methodologies such as the OSSTMM. Find your operational security gaps before they are breached. Contact KirkpatrickPrice today.

More Penetration Testing Resources