OSSTMM3 | Compliance | Fluid Attacks Help

OSSTMM3

logo

Summary

The Open Source Security Testing Methodology Manual (OSSTMM) provides a methodology for the accurate characterization of operational security (OpSec) through examination and correlation of test results in a consistent way. It is one of the most complete and commonly used professional standards in security audits to review the security of systems from the internet. The version used in this section is OSSTMM 3.0, published on December 14, 2010.

Definitions

Definition Requirements
8_5_2. Physical security (access verification) - Authentication 257. Access based on user credentials
8_7_2. Physical security (controls verification) - Confidentiality 335. Define out of band token lifespan
8_7_4. Physical security (controls verification) - Integrity 232. Require equipment identity
9_1_1. Wireless security (posture review) - Policy 331. Guarantee legal compliance
9_2_2. Wireless security (logistics) - Communications 181. Transmit data using secure protocols
206. Configure communication protocols
9_3_1. Wireless security (active detection verification) - Channel monitoring 266. Disable insecure functionalities
378. Use of log management system
9_4_1. Wireless security (visibility audit) - Interception 249. Locate access points
320. Avoid client-side control enforcement
9_5_3. Evaluate configuration, authentication and encryption of wireless networks 248. SSID without dictionary words
254. Change SSID name
9_5_4. Wireless security (access verification) - Authentication 153. Out of band transactions
229. Request access credentials
319. Make authentication options equally secure
9_5_5. Wireless security (access verification) - Access control 250. Manage access points
9_7_3. Wireless security (controls verification) - Privacy 250. Manage access points
255. Allow access only to the necessary ports
9_7_4. Wireless security (controls verification) - Integrity 252. Configure key encryption
336. Disable insecure TLS versions
9_9_1. Wireless security (configuration verification) - Common errors 132. Passphrases with at least 4 words
133. Passwords with at least 20 characters
237. Ascertain human interaction
327. Set a rate limit
9_9_2. Wireless security (configuration verification) - Configuration controls 062. Define standard configurations
9_15_2. Wireless security (privileges audit) - Authorization 096. Set user's required privileges
9_15_3. Wireless security (privileges audit) - Escalation 035. Manage privilege modifications
9_17_2. Wireless security (alert and log review) - Storage and retrieval 075. Record exceptional events in logs
377. Store logs based on valid regulation
10_2_1. Telecommunications security (logistics) - Framework 262. Verify third-party components
10_3_1. Telecommunications security (active detection verification) - Monitoring 075. Record exceptional events in logs
262. Verify third-party components
10_5_2. Telecommunications security (access verification) - Services 262. Verify third-party components
273. Define a fixed security suite
353. Schedule firmware updates
10_5_3. Telecommunications security (access verification) - Authentication 142. Change system default credentials
264. Request authentication
319. Make authentication options equally secure
334. Avoid knowledge-based authentication
10_7_2. Telecommunications security (controls verification) - Confidentiality 024. Transfer information using session objects
147. Use pre-existent mechanisms
224. Use secure cryptographic mechanisms
10_7_3. Telecommunications security (controls verification) - Privacy 336. Disable insecure TLS versions
338. Implement perfect forward secrecy
10_7_4. Telecommunications security (controls verification) - Integrity 330. Verify Subresource Integrity
10_9_3. Telecommunications security (configurations verification) - Configuration errors 154. Eliminate backdoors
155. Application free of malicious code
10_15_2. Telecommunications security (privileges audit) - Authorization 095. Define users with privileges
11_3_1. Data networks security (active detection verification) - Filtering 041. Scan files for malicious code
115. Filter malicious emails
258. Filter website content
11_5_3. Data networks security (access verification) - Authentication 126. Set a password regeneration mechanism
319. Make authentication options equally secure
11_6_2. Data networks security (trust verification) - Pishing 342. Validate request parameters
11_7_2. Data networks security (controls verification) - Confidentiality 062. Define standard configurations
147. Use pre-existent mechanisms
159. Obfuscate code
184. Obfuscate application data
224. Use secure cryptographic mechanisms
11_7_3. Data networks security (controls verification) - Privacy 062. Define standard configurations
185. Encrypt sensitive information
300. Mask sensitive data
336. Disable insecure TLS versions
338. Implement perfect forward secrecy
11_7_4. Data networks security (controls verification) - Integrity 062. Define standard configurations
150. Set minimum size for hash functions
224. Use secure cryptographic mechanisms
11_9_1. Data networks security - Configuration controls 062. Define standard configurations
375. Remove sensitive data from client-side applications
11_9_2. Data networks security - Common configuration errors 095. Define users with privileges
142. Change system default credentials
11_9_3. Data networks security - Limitations mapping 167. Close unused resources
221. Disconnect unnecessary input devices
322. Avoid excessive logging
11_11_1. Data networks security - Privacy containment mapping 176. Restrict system objects
177. Avoid caching and temporary files
185. Encrypt sensitive information
329. Keep client-side storage without sensitive data
339. Avoid storing sensitive files in the web root
11_11_2. Data networks security (segregation review) - Disclosure 176. Restrict system objects
11_13_1. Data networks security - Business grinding 249. Locate access points
300. Mask sensitive data
11_15_3. Data networks security (privileges audit) - Escalation 033. Restrict administrative access
305. Prioritize token usage
11_17_2. Data networks security (alert and log review) - Storage and retrieval 080. Prevent log modification
376. Register severity level
377. Store logs based on valid regulation
Free trial message
Free trial
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.