A Sweet Example of Using the OSSTMM

It’s a bit of a tangled web, but let me try to comb it out:

ISECOM is the parent organization for a whole cluster of projects, including the Monster that Ate My Summer, Hacker High School. One of their premiere products is the Open Source Security Testing Methodology Manual (OSSTMM), a handbook for testing network and organizational security that brings an entirely different mindset to the practice of information security.

I’ve been reading and re-reading the OSSTMM and gradually coming to understand how to use it, so it’s been particularly useful to see an example. Pablo Endres, a HHS contributor, recently released a short, concise and very clear paper on the subject of a common security practice: putting a “reverse proxy” server in between your web server farm and the Internet. This practice is so commonly accepted that I’ve never even seen a testing scenario that validates it. But Pablo put it to the test of the OSSTMM, and found that the answer to the question, “Is it effective?”, is “It depends.” Check out his blog here, where you can also download the PDF of Pablo’s paper.

The application of the OSSTMM is really simple and elegant. And it’s required reading for my security students now.