– By Grant Gross –

It’s a lonely crusade, but Pete Herzog believes security testing should be done in the open, not with what he calls the “secret methodology” advocated by some security experts.

Herzog is the sole developer listed on the Open Source Security Testing Methodology project hosted at SourceForge since late February. Herzog, a security expert living in Spain, says he started the project out of frustration from the lack of resources available while helping start security teams with three start-up companies.

“Naturally, I went to the Internet to search for much of the documentation to keep from
re-inventing the wheel,” he adds. “Part of my searching was pure competitive intelligence analysis. So I admit that much of the project had to do with my frustration at the number of security services companies I dealt with who claim to have some magic
methodology that no one can see without buying their services and
deconstructing their report (sometimes to find out they have a remarkably similar meth structure to an ISS report). So the need was clear to me that an open methodology needed to exist …”

Herzog is getting ready to release the 1.0 version of the manual, and earlier this week he finished a companion training document called, “Jack of All Trades,” which will be posted in April as part of the manual. “The focus of the training is not so much technical skills but rather how to use the skills you have to be the best security tester you can be,” writes Herzog on the SourceForge project site. The 0.9.3 version of the full manual is available at Herzog’s Web site, ideahamster.org, along with a full description of the project.

Herzog decided to make the project an Open Source one so that small companies “who could not afford licenses of commercial testing tools and fancyhardware” could still afford to implement the recommendations. “I decided on GNU Open Source and mostly focus on the use of open-source tools within the manual,” he says.

The project is not quite a one-man show at this point — Herzog’s wife, Marta, is handling the site design, link updates, news, and the export of the document into
all its current forms, and a handful of other people have contributed to the project. Despite the lack of support so far, Herzog has big dreams for the project.

“I hope to make this really a free open standard which anyone can
contribute too and anyone can use as a benchmark,” he says. “The idea with the manual is that a private person can be directed to the source and the company who did the test can say, ‘Here, we used the most thorough testing methodology we could, which was peer-reviewed by hundreds of experts and is constantly in revision to accomodate new technologies.’ I think the private person who believes that four out of five dentists
recommend Trident will also have faith in a consortium of security experts.”

Herzog hopes an Open Source testing methodology will not only improve the level of trust users have in online businesses, but would also improve testing overall. One Spanish company has already used the methodology to improve its testing efficiency, he says, and with a thorough security manual, companies hiring security experts can check the work.

Herzog’s next goal is to get more attention for the project, to get that “consortium of security experts” on board. He’s hoping to hear from more information security experts
familiar with the British Standard or OPSEC, and he’s looking for experts to help with
Database pen-testing, PBX testing, trusted systems testing, and cookie and Web
bug examinations, among other things.

“What’s important is people read [the manual] and expertly criticise it in the
discussion forums or mailing lists,” he says. “Tell me my mistakes. I am one
person with a huge task ahead of me and I’m willing to do what it takes to
make sure anyone correctly using the Open Standard can guarantee quality and
thoroughness.”

NewsForge editors read and respond to comments
posted on our discussion
page.

“Imagine that you could combine in one product a standardized web browser, with all the nice features that usually has been possible only in tailor-made SGML/XML browsers : features like reading native SGML and XML files without transformation into HTML, advanced linking support, CALS tables, structured search, advanced navigators, friendly user interface etc. This is a product that all, especially companies within the technical field, have been waiting for a long time. DocZilla makes it all possible, plus much more.”

Saint writes, “A year has passed already since LinuxMedNews opened March 30th, 2000. Happy Birthday. 263 articles have appeared in that time and the site has been featured on LinuxToday, Newsforge, LinuxNews.com and Slashdot.org. It has also been linked by numerous other sites. There has been good articles and cruddy articles. There has been spirited debates such as that on the VistA project which even attracted the attention of the patriarch of free software Richard M. Stallman. The future direction of LinuxMedNews will be examined in the near future, particularly whether it should become ‘less fun’ and ‘more serious’. LinuxMedNews also needs to find a revenue stream which was a near miss before the Linuxgruven.com melt-down. Fortunately, LMN is in this for the long-haul. In the meantime, some things have changed in one year of free and open medical software, many things haven’t.

Read the original article here.”

KANSAS CITY, MO (March 30, 2001) – Atipa Corporation announced today that its hardware division, which has specialized in developing Linux cluster solutions for high performance computing (HPC) in the scientific, educational and corporate sectors, has been sold to Microtech Computers, Inc. The former Atipa division will now become a division of Microtech doing business under the name Atipa Technologies.

The transaction continues Atipa?s strategic transformation from a comprehensive, end-to-end provider of Linux-based hardware, software, and professional services to a company providing multi-platform enterprise management software and support. Atipa will continue to provide corporate management services and support to its two subsidiaries, OpenNMS of Raleigh, North Carolina and Enhanced Software Technologies (EST), Inc. of Phoenix, Arizona.

OpenNMS is the start-up company that created OpenNMS.org, the open source project that is developing next-generation network management software. The OpenNMS management team will lead an Atipa subsidiary to be announced this summer that will provide enterprise management software products and comprehensive professional services and support. EST is a veteran player in the backup market, providing leading backup solutions and utilities since 1985 and Linux-based solutions since 1994. EST has long set the standard for data protection with its flagship product, the award-winning BRUÔ, and recently launched a new product, BRU ProÔ, the business-level ?Backup You Can Trust? for small to mid-sized enterprises.

Founded in 1986 and headquartered in Lawrence, Kansas, Microtech is currently a leading ISO-9002 certified manufacturer of Microsoft-based custom PC and server solutions with a diverse national customer base. The acquisition of Atipa?s hardware unit supports Microtech?s mission to become a leading national provider of multi-platform solutions by entering the growing HPC market as a branded provider of high-quality Linux clustering solutions.

?The decision to focus all of our corporate resources exclusively on the software end of our business reflects a fundamental shift away from Atipa?s original business strategy of becoming a full-service Linux provider,? said Jeffrey Keenan, Atipa?s Chairman and Chief Executive Officer. ?While sales from our HPC unit increased dramatically in 2000, our board and management team felt that Atipa?s long-term interests would be better served by narrowing our focus to the promising new market opportunities of our software subsidiaries. We are excited about our prospects for success and convinced that this strategic shift in Atipa?s direction will be rewarding for both our shareholders and employees.?

?The combination of Microtech?s cutting-edge, ISO-certified manufacturing processes with Atipa?s brand name and footprint in the HPC space presents the perfect opportunity for us to expand into a new market,? said Mike Zheng, founder and President of Microtech. ?As an established and growing company that has been competing successfully in the hardware business for 15 years, we believe we can add even more value to Atipa?s product offerings and continue expanding their blue-chip customer base. This is definitely a win-win for both companies.?

Terms of the transaction were not disclosed. Additional background information on Atipa and Microtech can be found at the following web sites:
www.atipa.com
www.microtechcomp.com
www.estinc.com
www.opennms.org

CONTACT: Darrek Porter
816-60-1134 x107
dporter@atipa.com

“Bluetooth is a standard, not a product,” said Intel marketing manager Simon Ellis, and one that’s in pretty good shape after only two years of development. Noting that it took almost five years of development before USB was ready for prime time, Ellis also re-stated Intel’s devotion to Bluetooth. Eventually, the chipmaker will build the technology into its chipsets. Story at The Register.

“These days, the only thing that Microsoft is interested in discussing with its customers is licensing issues,” said John Luludis, CIO of Danzas AEI, an international shipping company with about 10,000 Windows desktops. “We spend a lot of time and resources constantly proving license compliance, while we try to plan an optimum configuration to deal with the rising cost of ownership related to Microsoft’s products.” More at InternetWeek.com.

From WiredNews: “A hacker is claming that he has won Argus’ ballyhooed OpenHack III competition by cracking its much-vaunted PitBull security system. Argus concedes the crack, but isn’t awarding the promised big cash prize.”

“Bruce Perens, the open source founding father who hired on at HP as a strategic advisor in December, is planning to hold the collective
toes of the computer establishment to the fire over the issue of open sourcing their precious patent portfolios.

Perens says he’s gotten the money from HP to co-sponsor an invitation-only closed-door summit near the Moscone Center in San
Francisco on the Friday and Saturday after LinuxWorld this August and intends to challenge the likes of IBM, which holds 10% of all the
patents in the industry, to figure out a way to open up its invaluable treasure house to open source developers.” More at LinuxGram.

Virtual Access Networks, Inc., a leader in settings migration and remote access technologies, today announced a strategic relationship with MandrakeSoft, the most user-friendly and best-selling Linux operating system of 2000, according to PC Data. Under the partnership, Virtual Access Networks and MandrakeSoft will collaborate to develop a Windows to Linux settings migration tool…” Read the full press release at LinuxPR.

The lawyer who sued IBM over its role in the Holocaust has dropped his suit. Michael D Hausfeld said that German companies refused to make any payments to Holocaust survivors until all outstanding claims against them had been dismissed, and that they should have “no excuse” to delay payments any further. Story at ZDNet News.