March 30, 2001

Open Source security manual: A lonely crusade

Author: JT Smith

- By Grant Gross -

It's a lonely crusade, but Pete Herzog believes security testing should be done in the open, not with what he calls the "secret methodology" advocated by some security experts.

Herzog is the sole developer listed on the Open Source Security Testing Methodology project hosted at SourceForge since late February. Herzog, a security expert living in Spain, says he started the project out of frustration from the lack of resources available while helping start security teams with three start-up companies.

"Naturally, I went to the Internet to search for much of the documentation to keep from
re-inventing the wheel," he adds. "Part of my searching was pure competitive intelligence analysis. So I admit that much of the project had to do with my frustration at the number of security services companies I dealt with who claim to have some magic
methodology that no one can see without buying their services and
deconstructing their report (sometimes to find out they have a remarkably similar meth structure to an ISS report). So the need was clear to me that an open methodology needed to exist ..."

Herzog is getting ready to release the 1.0 version of the manual, and earlier this week he finished a companion training document called, "Jack of All Trades," which will be posted in April as part of the manual. "The focus of the training is not so much technical skills but rather how to use the skills you have to be the best security tester you can be," writes Herzog on the SourceForge project site. The 0.9.3 version of the full manual is available at Herzog's Web site,, along with a full description of the project.

Herzog decided to make the project an Open Source one so that small companies "who could not afford licenses of commercial testing tools and fancyhardware" could still afford to implement the recommendations. "I decided on GNU Open Source and mostly focus on the use of open-source tools within the manual," he says.

The project is not quite a one-man show at this point -- Herzog's wife, Marta, is handling the site design, link updates, news, and the export of the document into
all its current forms, and a handful of other people have contributed to the project. Despite the lack of support so far, Herzog has big dreams for the project.

"I hope to make this really a free open standard which anyone can
contribute too and anyone can use as a benchmark," he says. "The idea with the manual is that a private person can be directed to the source and the company who did the test can say, 'Here, we used the most thorough testing methodology we could, which was peer-reviewed by hundreds of experts and is constantly in revision to accomodate new technologies.' I think the private person who believes that four out of five dentists
recommend Trident will also have faith in a consortium of security experts."

Herzog hopes an Open Source testing methodology will not only improve the level of trust users have in online businesses, but would also improve testing overall. One Spanish company has already used the methodology to improve its testing efficiency, he says, and with a thorough security manual, companies hiring security experts can check the work.

Herzog's next goal is to get more attention for the project, to get that "consortium of security experts" on board. He's hoping to hear from more information security experts
familiar with the British Standard or OPSEC, and he's looking for experts to help with
Database pen-testing, PBX testing, trusted systems testing, and cookie and Web
bug examinations, among other things.

"What's important is people read [the manual] and expertly criticise it in the
discussion forums or mailing lists," he says. "Tell me my mistakes. I am one
person with a huge task ahead of me and I'm willing to do what it takes to
make sure anyone correctly using the Open Standard can guarantee quality and

NewsForge editors read and respond to comments
posted on our discussion


  • Linux
Click Here!