Star 3
Star 3
Star 3
I am responsible for the information within this report and have personally verified that all information herein is factual and true.
SIGNATURE
COMPANY STAMP/SEAL
OPST Certification # OPERATIONAL SECURITY VALUES Visibility Access Trust LIMITATIONS VALUES Vulnerability Weakness Concern Exposure Anomaly OpSec Limitations
OPSA Certification # CONTROLS VALUES Authentication Indemnification Resilience Subjugation Continuity Non-Repudiation Confidentiality Privacy Integrity Alarm True Controls Security
True Protection
Actual Security
OVERVIEW
This Open Source Security Testing Methodology Manual provides a methodology for a thorough security test. A security test is an accurate measurement of security at an operational level, void of assumptions and anecdotal evidence. A proper methodology makes for a valid security measurement that is consistent and repeatable.
ABOUT ISECOM
ISECOM, the creator and maintainer of the OSSTMM, is an independent, non-profit security research organization and certification authority defined by the principles of open collaboration and transparency.
PURPOSE
The primary purpose of this Audit Report is to provide a standard reporting scheme based on a scientific methodology for the accurate characterization of security through examination and correlation in a consistent and reliable way. The secondary purpose is to provide guidelines which when followed will allow the auditor to provide a certified OSSTMM audit.
PROCESS
This Audit Report must accompany the full security test report document that provides evidence of the test and the results as defined in the statement of work between the testing organization and the client.
VALIDITY
For this OSSTMM Audit Report to be valid, it must be filled out clearly, properly, and completely. The OSSTMM Audit Report must be signed by the lead or responsible tester or analyst and accompany include the stamp of the company which holds the contract or sub-contract of the test. This audit report must show under COMPLETION STATUS which Channel and the associated Modules and Tasks have been tested to completion, not tested to completion, and which tests were not applicable and why. A report which documents that only specific parts of the Channel test have been completed due to time constraints, project problems, or customer refusal may still be recognized as an official OSSTMM audit if accompanied by this report clearly showing the deficiencies and the reasons for those deficiencies.
CERTIFICATION
OSSTMM certification is the assurance of an organizations security according to the thorough tests within the OSSTMM standard and is available per vector and channel for organizations or parts of organizations that maintain a rav level of a minimum of 90% validated yearly from an independent third-party auditor. Validation of security tests or quarterly metrics is subject to the ISECOM validation requirements to assure consistency and integrity.
1.
1.1 1.2 1.3 1.4 1.5 1.6 1.7 1.8
POSTURE REVIEW
TASK Identified business objectives and markets. Identified legislation and regulations applicable to the targets in the scope. Identified business policies. Identified business and industry ethics policies. Identified operation cultures and norms. Identified operation times and flows applicable to the targets in the scope. Identified all necessary Channels for this scope. Identified all Vectors for this scope. COMMENTS COMPLETION STATUS
2.
2.1 2.2 2.3 2.4
LOGISTICS
TASK Applied testing safety measures. Determined and accounted for test instabilities. Determined and accounted for downtime in scope. Determined and accounted for test pace according to the test environment and the security presence. COMMENTS COMPLETION STATUS
3.
3.1 3.2 3.3 3.4
COMMENTS
COMPLETION STATUS
4.
4.1 4.2
VISIBILITY AUDIT
TASK Determined targets through all enumeration tasks. Determined new targets by researching known targets. COMMENTS COMPLETION STATUS
5.
5.1 5.2 5.3 5.4 5.5 5.6
COMMENTS
COMPLETION STATUS
6.
6.1
TRUST VERIFICATION
TASK Determined interactions that rely on other interactions to complete the test interaction according to the tasks. Determined targets with trust relationships to other targets in the scope to complete interactions. Determined targets with trust relationships to other targets outside the scope to complete interactions. Verified known security limitations of discovered trusts between the trusts. Verified known security limitations of discovered trusts between targets in the scope and the trusted interactions. Searched for novel circumvention techniques and security limitations of discovered trusts. COMMENTS COMPLETION STATUS
6.2
6.3
6.4 6.5
6.6
7.
7.1 7.2 7.3 7.4 7.5 7.6 7.7
COMMENTS
COMPLETION STATUS
8.
8.1 8.2 8.3
COMMENTS
COMPLETION STATUS
8.4
8.5 8.6
9.
9.1
COMMENTS
COMPLETION STATUS
9.2
9.3
9.4
10.
10.1
COMMENTS
COMPLETION STATUS
10.2
11.
11.1
COMMENTS
COMPLETION STATUS
11.2
11.3
11.4
12.
12.1
COMMENTS
COMPLETION STATUS
12.2
12.3
12.4
12.5
13.
13.1
COMMENTS
COMPLETION STATUS
13.2
13.3
13.4
14.
14.1 14.2
COMMENTS
COMPLETION STATUS
15.
15.1 15.2 15.3 15.4 15.5 15.6
PRIVILEGES AUDIT
TASK Verified the means of legitimately obtaining privileges for all authenticated interactions. Verified the use of fraudulent identification to obtain privileges. Verified the means of circumventing authentication requirements. Verified the means of taking non-public authentication privileges. Verified the means hijacking other authentication privileges. Verified known security limitations of discovered authentication mechanisms to escalate privileges. Searched for novel circumvention techniques and security limitations of discovered authentication mechanisms to escalate privileges. Determined depth of all discovered authentication privileges. Determined re-usability of all discovered authentication privileges on the authentication mechanisms on all targets. Verified requirements towards obtaining authentication privileges for discriminatory practices according to the Posture Review. Verified means towards obtaining authentication privileges for discriminatory practices for people with disabilities. COMMENTS COMPLETION STATUS
15.7
15.8 15.9
15.10
15.11
16.
16.1
COMPLETION STATUS
16.2 16.3
16.4
17.
17.1 17.2
COMMENTS
COMPLETION STATUS