Re: OSSTMM how good is it?

From: rik kershaw-moore (rkm@tsiolkovsky.co.uk)
Date: Wed May 17 2006 - 01:45:25 EDT

• Next message: Craig Wright: "Contract drafting for an engagement"
• Previous message: Ivan Arce: "Re: rules of engagement scope"
• In reply to: Steve Armstrong: "RE: OSSTMM how good is it?"
• Next in thread: stevearmstrong@logicallysecure.com: "Re: RE: OSSTMM how good is it?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

On Tuesday 16 May 2006 13:01, Steve Armstrong wrote:

> However, you state you are undertaking IS1&3 but not 2 why is that. And
> given the nature of IS1&3 why are you using CRAMM?

Beaucse IS2 is th building of Accreditation Document sets - which fall outside
the remit, as does IS4 and IS5.

> Finally, are you looking to use the OSSTMM as in internal testing
> standard or one to level contracts against? I ask because your
> questioning alludes to a non technical level of expertise but you are
> discussing a methodology to undertake technical testing.

We are looking for an internal testing methodology. We already have an very
technical internal testing system in place, but it is home grown and our
accreditors wish for something more recognised.

This accounts for why we have to use CRAMM as well as IS1. Now IS1 is a good
back of a fag packet stuff, useful in management meetings and the like but
our accreditors don't trust it for some reason.

Rik

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
------------------------------------------------------------------------------
This List Sponsored by: Cenzic
Concerned about Web Application Security? 
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's 
Choice Award from eWeek. As attacks through web applications continue to rise, 
you need to proactively protect your applications from hackers. Cenzic has the 
most comprehensive solutions to meet your application security penetration 
testing and vulnerability management needs. You have an option to go with a 
managed service (Cenzic ClickToSecure) or an enterprise software 
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can 
help you: http://www.cenzic.com/news_events/wpappsec.php 
And, now for a limited time we can do a FREE audit for you to confirm your 
results from other product. Contact us at request@cenzic.com for details.
------------------------------------------------------------------------------

• Next message: Craig Wright: "Contract drafting for an engagement"
• Previous message: Ivan Arce: "Re: rules of engagement scope"
• In reply to: Steve Armstrong: "RE: OSSTMM how good is it?"
• Next in thread: stevearmstrong@logicallysecure.com: "Re: RE: OSSTMM how good is it?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:58 EDT