The Institute for Security and Open Methodologies Announces 2.1 Release of the Open Source Security Testing Methodology Manual

Barcelona, Spain – 25th August 2003 – The Institute for Security and Open Methodologies (ISECOM) unveils the much anticipated 2.1 release of the Open Source Security Testing Methodology Manual (OSSTMM).

About the OSSTMM
The Open Source Security Testing Methodology Manual (OSSTMM) is an open standard method for performing security tests. Since it’s inception in January 2001, the OSSTMM has become the most widely used, peer-reviewed, comprehensive security testing methodology in existence. While other methodologies and “best practices” attack security testing from a 50,000 foot view, the OSSTMM focuses on the technical details of exactly which items need to be tested, what to do during a security test, and when different types of security tests should be performed. The OSSTMM provides testing methodologies for the following six security areas: Information Security, Process Security, Internet Technology Security, Communications Security, Wireless Security, and Physical Security.

To quote Pete Herzog, OSSTMM creator, “The primary goal of the OSSTMM is to provide transparency. It provides transparency of those who have inadequate security configurations and policies. It provides transparency of those who perform inadequate security and penetration tests. It provides transparency of the unscrupulous security vendors vying to sponge up every last cent of their prey’s already meager security budget; those who would side-step business values with over-hyped threats of legal compliancy, cyber-terrorism, and hackers.

The OSSTMM is everyone’s free, thorough tool to measure security inadequacies. For added value we include the ethical guidelines to separate professional security testers from those who are looking to just make some money. The OSSTMM exists because over 600 security volunteers worldwide cared enough to be involved in making practical, affordable security less of a lottery prize and more of a daily reality.”
ISECOM is successful at achieving its goals with the OSSTMM do to the open development environment from which it was created. When you use an internal testing methodology, you leverage the brain trust of a handful of security experts. The OSSTMM is powerful because it provides the collective best practices, legal, and ethical concerns of the global security testing community.

What’s New in the 2.1 Release
In the 2.1, ISECOM has overhauled the document structure and has updated tests in all six sections. New laws and best practices have been introduced and analyzed for security testing implications. The concept of Risk Assessment Values (RAVs) has been expanded. The security testing Rules of Engagement and Project Planning sections help the tester prepare for and manage a test. The 2.1 now also includes the much needed “Rules of Engagement” ethical context required to be a security testing professional.

About the Institute for Security and Open Methodologies (ISECOM)
ISECOM is a nonprofit organization that exists to increase the professionalism and legitimacy of the security testing industry. ISECOM achieves this through the open development of standardized methodologies, practical and ability measured education programs, and accessible communication forums. Founded and lead by Pete Herzog, ISECOM has established itself as a global leader for providing practical and relevant security methodologies accessible to all.

ISECOM’s education courses feature training based on ISECOM’s Open Source Security Testing Methodology Manual (OSSTMM). The courses offered include the OSSTMM Professional Security Tester (OPST), and the OSSTMM Professional Security Analyst (OPSA). These certifications measure a student’s ability to perform or analyze a security test performed using the OSSTMM. To sign up for a course, consult the ISECOM training schedule:, or contact your nearest ISECOM training partner:

To download your free copy of the OSSTMM, visit
For more information about ISECOM and other open-methodology projects, please visit

Don't miss