OSSTMM3

Summary

The Open Source Security Testing Methodology Manual (OSSTMM) provides a methodology for the accurate characterization of operational security (OpSec) through examination and correlation of test results in a consistent way. It is one of the most complete and commonly used professional standards in security audits to review the security of systems from the internet. The version used in this section is OSSTMM 3.0, published on December 14, 2010.

Definitions

Definition	Requirements
8_5_2. Physical security (access verification) - Authentication	257. Access based on user credentials
8_7_2. Physical security (controls verification) - Confidentiality	335. Define out of band token lifespan
8_7_4. Physical security (controls verification) - Integrity	232. Require equipment identity
9_1_1. Wireless security (posture review) - Policy	331. Guarantee legal compliance
9_2_2. Wireless security (logistics) - Communications	181. Transmit data using secure protocols 206. Configure communication protocols
9_3_1. Wireless security (active detection verification) - Channel monitoring	266. Disable insecure functionalities 378. Use of log management system
9_4_1. Wireless security (visibility audit) - Interception	249. Locate access points 320. Avoid client-side control enforcement
9_5_3. Evaluate configuration, authentication and encryption of wireless networks	248. SSID without dictionary words 254. Change SSID name
9_5_4. Wireless security (access verification) - Authentication	153. Out of band transactions 229. Request access credentials 319. Make authentication options equally secure
9_5_5. Wireless security (access verification) - Access control	250. Manage access points
9_7_3. Wireless security (controls verification) - Privacy	250. Manage access points 255. Allow access only to the necessary ports
9_7_4. Wireless security (controls verification) - Integrity	252. Configure key encryption 336. Disable insecure TLS versions
9_9_1. Wireless security (configuration verification) - Common errors	132. Passphrases with at least 4 words 133. Passwords with at least 20 characters 237. Ascertain human interaction 327. Set a rate limit
9_9_2. Wireless security (configuration verification) - Configuration controls	062. Define standard configurations
9_15_2. Wireless security (privileges audit) - Authorization	096. Set user's required privileges
9_15_3. Wireless security (privileges audit) - Escalation	035. Manage privilege modifications
9_17_2. Wireless security (alert and log review) - Storage and retrieval	075. Record exceptional events in logs 377. Store logs based on valid regulation
10_2_1. Telecommunications security (logistics) - Framework	262. Verify third-party components
10_3_1. Telecommunications security (active detection verification) - Monitoring	075. Record exceptional events in logs 262. Verify third-party components
10_5_2. Telecommunications security (access verification) - Services	262. Verify third-party components 273. Define a fixed security suite 353. Schedule firmware updates
10_5_3. Telecommunications security (access verification) - Authentication	142. Change system default credentials 264. Request authentication 319. Make authentication options equally secure 334. Avoid knowledge-based authentication
10_7_2. Telecommunications security (controls verification) - Confidentiality	024. Transfer information using session objects 147. Use pre-existent mechanisms 224. Use secure cryptographic mechanisms
10_7_3. Telecommunications security (controls verification) - Privacy	336. Disable insecure TLS versions 338. Implement perfect forward secrecy
10_7_4. Telecommunications security (controls verification) - Integrity	330. Verify Subresource Integrity
10_9_3. Telecommunications security (configurations verification) - Configuration errors	154. Eliminate backdoors 155. Application free of malicious code
10_15_2. Telecommunications security (privileges audit) - Authorization	095. Define users with privileges
11_3_1. Data networks security (active detection verification) - Filtering	041. Scan files for malicious code 115. Filter malicious emails 258. Filter website content
11_5_3. Data networks security (access verification) - Authentication	126. Set a password regeneration mechanism 319. Make authentication options equally secure
11_6_2. Data networks security (trust verification) - Pishing	342. Validate request parameters
11_7_2. Data networks security (controls verification) - Confidentiality	062. Define standard configurations 147. Use pre-existent mechanisms 159. Obfuscate code 184. Obfuscate application data 224. Use secure cryptographic mechanisms
11_7_3. Data networks security (controls verification) - Privacy	062. Define standard configurations 185. Encrypt sensitive information 300. Mask sensitive data 336. Disable insecure TLS versions 338. Implement perfect forward secrecy
11_7_4. Data networks security (controls verification) - Integrity	062. Define standard configurations 150. Set minimum size for hash functions 224. Use secure cryptographic mechanisms
11_9_1. Data networks security - Configuration controls	062. Define standard configurations 375. Remove sensitive data from client-side applications
11_9_2. Data networks security - Common configuration errors	095. Define users with privileges 142. Change system default credentials
11_9_3. Data networks security - Limitations mapping	167. Close unused resources 221. Disconnect unnecessary input devices 322. Avoid excessive logging
11_11_1. Data networks security - Privacy containment mapping	176. Restrict system objects 177. Avoid caching and temporary files 185. Encrypt sensitive information 329. Keep client-side storage without sensitive data 339. Avoid storing sensitive files in the web root
11_11_2. Data networks security (segregation review) - Disclosure	176. Restrict system objects
11_13_1. Data networks security - Business grinding	249. Locate access points 300. Mask sensitive data
11_15_3. Data networks security (privileges audit) - Escalation	033. Restrict administrative access 305. Prioritize token usage
11_17_2. Data networks security (alert and log review) - Storage and retrieval	080. Prevent log modification 376. Register severity level 377. Store logs based on valid regulation

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.

OSSTMM3 | Compliance | Fluid Attacks Help

OSSTMM3

Summary

Definitions