Truth is made of numbers. Following this golden rule, Federico Biancuzzi interviewed Pete Herzog, founder of ISECOM and creator of the OSSTMM, to talk about the upcoming revision 3.0 of the Open Source Security Testing Methodology Manual. He discusses why we need a testing methodology, why use open source, the value of certifications, and plans for a new vulnerability scanner developed with a different approach than Nessus.
Could you introduce yourself?
Pete Herzog: I'm Pete Herzog, Managing Director of ISECOM. I live in a small town in Catalonia just outside of Barcelona. It's also where I work part of the year. The other part of the year I work in the U.S. ISECOM is a non-profit, registered both here and in New York State, USA, with the aggressive mission to "make security make sense." Mostly that means fighting FUD and improving critical thinking skills in the realm of security which includes data and business integrity, development, safety, and trust. Many myths still surround security and only now we're starting to get enough people with open eyes making a difference. Unfortunately there are still far too many parrots out there reciting what they heard about security although it may no longer, if ever, be true or applicable.
Why do we need a security testing methodology? And why open source?
Pete Herzog: Without a security testing methodology, the actual test tends to be all over the place. One tester actually described this once to me as his test being "a mess" without it. The real answer is that a methodology is required to test anything thoroughly. As humans, we take short-cuts. We assume we know an answer or we know what's going on because of past experiences and we cut to the chase because time is money and all that. However, when that happens, we leave many unverified (unanswered) questions and report our assumptions as if they were facts. A good security methodology does not let you do that. A good open source methodology means that many many people don't let you do that. The open source concept actually means that anyone can contribute the ideas for thoroughness and it's not just up to one person, one group, or one authority. While not quite meritocratic as a meritocracy implies, we follow the person with more "wins." In other words, we are democratic as democracy works better for principles and ideas than facts. It is a successful peer review where our reviewers need to show how they got their answers.
How did the project for an Open Source Security Testing Methodology Manual (OSSTMM) start?
Pete Herzog: ISECOM began in January 2001 with the OSSTMM. Actually, the OSSTMM created ISECOM. The truth is really that I wanted to create a plan on how to test security because I didn't think it was being done right and I wanted to improve it. So I searched the net only to find everyone referring to this proprietary methodology they have that's so great. But I couldn't know because I couldn't see it. I was suspicious that it was true because I had seen the reports of some of the companies that said that they had some great proprietary methodology and there was nothing special about what was essentially vulnerability scanner outputs re-dressed as reports. So once I finished something, I posted it to the web and asked the public to give feedback. I had no idea that I was not the only one in need of such a thing. So here we are, five years later and the OSSTMM is at around four million downloads since its inception - with legislation requiring its use in some countries and some government employees and contractors around the world being required to be certified in it just to prove they can really do their jobs. And it's still growing at a fast and shiny pace. We're trying to staff-up to handle this all but that's a problem in itself.
Why did you create a certification process too?
Pete Herzog: The certification process evolved. A need happened which was to do security testing reliably. There are a lot of people with these knowledge certs (the kind that requires knowing or memorizing something) and they didn't seem to get it. They just all made these horrible mistakes when it came to testing. Oh sure, they poked holes and penetrated but were completely incapable of actually really testing security. It was like they tried to light up all the holes in Swiss cheese with a pocket flashlight from 100 meters away. Sure, some holes got exposed but so many more didn't. So we decided to make sure that if we did a certification that it would have to ask the candidates to prove what they know by doing something. So we made the first walk-the-walk security certification of its kind. I'm happy we did it because it adds professionalism and legitimacy to this actually nascent field of security testing. Now it's not sparkly or fancy like certifications on penetration testing or ethical hacking because it's about getting the job done. It's hard work to pass them. It's the difference between rolling up your sleeves to work better and rolling them up to look like you are working. We prefer to help those who really need security and not just look like they have it for compliancy reasons. Then again, we've come so far with only word of mouth so I know we are doing something right.