What You Need to Know About OSSTMM

by Hannah Grace Holladay / December 21st, 2023

What is the Open Source Security Testing Methodology Manual (OSSTMM)?

The Open Source Security Testing Methodology Manual, or OSSTMM, is a peer-reviewed methodology for security testing, maintained by the Institute for Security and Open Methodologies (ISECOM).

The manual is updated every six months or so, to remain relevant to the current state of security testing. ISECOM’s main goal with the OSSTMM is to offer a scientific method for accurately understanding operation security. You can use it for penetration testing, ethical hacking, and other security tests. ISECOM uses verified facts to ensure that organizations using the OSSTMM for penetration testing can make informed decisions.

OSSTMM includes the following key sections:

  • Operational Security Metrics
  • Trust Analysis
  • Work Flow
  • Human Security Testing
  • Physical Security Testing
  • Wireless Security Testing
  • Telecommunications Security Testing
  • Data Networks Security Testing
  • Compliance Regulations
  • Reporting with the STAR (Security Test Audit Report)

At KirkpatrickPrice, we use the OSSTMM to develop our advanced penetration testing services. Our tests provide reliability, effectiveness, and thoroughness, as top industry sources influence them. The OSSTMM allows KirkpatrickPrice to perform penetration tests that provide measurable and accurate results.

What makes up the OSSTMM? Which principles and channels does its methodology test? Below, we define the OSSTMM further and explore the five core testing channels and methodologies.

5 OSSTMM Testing Channels & Methodology

To help organizations understand their security, OSSTMM guides businesses in testing their operational security through five channels. Doing such helps them determine how well their security processes actually function. Essentially, they reveal what your operations actually accomplish, not just what they are supposed to accomplish.

The five channels tested include:

  1. Human Security: Assessing the security in human interactions and communications.
  2. Physical Security: Rigorously testing any tangible aspects of security requiring physical effort.
  3. Wireless Communications: Examining electronic signals and communications, covering all aspects of wireless security.
  4. Telecommunications: Evaluating digital and analog telecommunications networks, including all forms of phone and network line communications.
  5. Data Networks: Testing electronic systems and networks used for communication, whether wired or via cables.

The OSSTMM focuses on these five channels as important operational areas that need proper security testing to secure your organization. Our penetration testing methodology builds upon these ideas to find any enterprise weaknesses and vulnerabilities that need further addressing.

That’s the value the OSSTMM brings to the table.

Pen Testing with the OSSTMM Methodology

Why is it important to test your security controls? Why should your organization spend time and money on penetration testing?

According to the IBM Security 2019 Cost of a Data Breach Report, the average cost of a data breach in the United States is 8.9 million dollars. When you partner with a quality auditing firm, you’re helping your organization close the gaps in your security and catch costly vulnerabilities.

Imagine what that cost could do to your organization.

It’s a cost you can avoid when you hire penetration testers that rely on quality methodologies such as the OSSTMM. To find your operational security gaps and reduce your risk of breach, contact KirkpatrickPrice today.

More Penetration Testing Resources

About the Author

Hannah Grace Holladay

Hannah Grace Holladay is an experienced content marketer with degrees in both creative writing and public relations. She has earned her Certificate in Cybersecurity (CC) certification from (ISC)2 and has worked for KirkpatrickPrice since November 2019, starting first as a Professional Writer before moving to the marketing team as our Content Marketing Specialist. Her experience at KirkpatrickPrice and love for storytelling inspires her to create content that educates, empowers, and inspires the cybersecurity industry.