Skip to main content

OSSTMM3

logo

Summary

The Open Source Security Testing Methodology Manual (OSSTMM) provides a methodology for the accurate characterization of operational security (OpSec) through examination and correlation of test results in a consistent way. It is one of the most complete and commonly used professional standards in security audits to review the security of systems from the internet. The version used in this section is OSSTMM 3.0, published on December 14, 2010.

Definitions

DefinitionRequirements
8_5_2. Physical security (access verification) - Authentication257. Access based on user credentials
8_7_2. Physical security (controls verification) - Confidentiality335. Define out of band token lifespan
8_7_4. Physical security (controls verification) - Integrity232. Require equipment identity
9_1_1. Wireless security (posture review) - Policy331. Guarantee legal compliance
9_2_2. Wireless security (logistics) - Communications181. Transmit data using secure protocols
206. Configure communication protocols
9_3_1. Wireless security (active detection verification) - Channel monitoring266. Disable insecure functionalities
378. Use of log management system
9_4_1. Wireless security (visibility audit) - Interception249. Locate access points
320. Avoid client-side control enforcement
9_5_3. Evaluate configuration, authentication and encryption of wireless networks248. SSID without dictionary words
254. Change SSID name
9_5_4. Wireless security (access verification) - Authentication153. Out of band transactions
229. Request access credentials
319. Make authentication options equally secure
9_5_5. Wireless security (access verification) - Access control250. Manage access points
9_7_3. Wireless security (controls verification) - Privacy250. Manage access points
255. Allow access only to the necessary ports
9_7_4. Wireless security (controls verification) - Integrity252. Configure key encryption
336. Disable insecure TLS versions
9_9_1. Wireless security (configuration verification) - Common errors132. Passphrases with at least 4 words
133. Passwords with at least 20 characters
237. Ascertain human interaction
327. Set a rate limit
9_9_2. Wireless security (configuration verification) - Configuration controls062. Define standard configurations
9_15_2. Wireless security (privileges audit) - Authorization096. Set user's required privileges
9_15_3. Wireless security (privileges audit) - Escalation035. Manage privilege modifications
9_17_2. Wireless security (alert and log review) - Storage and retrieval075. Record exceptional events in logs
377. Store logs based on valid regulation
10_2_1. Telecommunications security (logistics) - Framework262. Verify third-party components
10_3_1. Telecommunications security (active detection verification) - Monitoring075. Record exceptional events in logs
262. Verify third-party components
10_5_2. Telecommunications security (access verification) - Services262. Verify third-party components
273. Define a fixed security suite
353. Schedule firmware updates
10_5_3. Telecommunications security (access verification) - Authentication142. Change system default credentials
264. Request authentication
319. Make authentication options equally secure
334. Avoid knowledge-based authentication
10_7_2. Telecommunications security (controls verification) - Confidentiality024. Transfer information using session objects
147. Use pre-existent mechanisms
224. Use secure cryptographic mechanisms
10_7_3. Telecommunications security (controls verification) - Privacy336. Disable insecure TLS versions
338. Implement perfect forward secrecy
10_7_4. Telecommunications security (controls verification) - Integrity330. Verify Subresource Integrity
10_9_3. Telecommunications security (configurations verification) - Configuration errors154. Eliminate backdoors
155. Application free of malicious code
10_15_2. Telecommunications security (privileges audit) - Authorization095. Define users with privileges
11_3_1. Data networks security (active detection verification) - Filtering041. Scan files for malicious code
115. Filter malicious emails
258. Filter website content
11_5_3. Data networks security (access verification) - Authentication126. Set a password regeneration mechanism
319. Make authentication options equally secure
11_6_2. Data networks security (trust verification) - Pishing342. Validate request parameters
11_7_2. Data networks security (controls verification) - Confidentiality062. Define standard configurations
147. Use pre-existent mechanisms
159. Obfuscate code
184. Obfuscate application data
224. Use secure cryptographic mechanisms
11_7_3. Data networks security (controls verification) - Privacy062. Define standard configurations
185. Encrypt sensitive information
300. Mask sensitive data
336. Disable insecure TLS versions
338. Implement perfect forward secrecy
11_7_4. Data networks security (controls verification) - Integrity062. Define standard configurations
150. Set minimum size for hash functions
224. Use secure cryptographic mechanisms
11_9_1. Data networks security - Configuration controls062. Define standard configurations
375. Remove sensitive data from client-side applications
11_9_2. Data networks security - Common configuration errors095. Define users with privileges
142. Change system default credentials
11_9_3. Data networks security - Limitations mapping167. Close unused resources
221. Disconnect unnecessary input devices
322. Avoid excessive logging
11_11_1. Data networks security - Privacy containment mapping176. Restrict system objects
177. Avoid caching and temporary files
185. Encrypt sensitive information
329. Keep client-side storage without sensitive data
339. Avoid storing sensitive files in the web root
11_11_2. Data networks security (segregation review) - Disclosure176. Restrict system objects
11_13_1. Data networks security - Business grinding249. Locate access points
300. Mask sensitive data
11_15_3. Data networks security (privileges audit) - Escalation033. Restrict administrative access
305. Prioritize token usage
11_17_2. Data networks security (alert and log review) - Storage and retrieval080. Prevent log modification
376. Register severity level
377. Store logs based on valid regulation