Skip to main content

OSSTMM3

logo

Summary

The Open Source Security Testing Methodology Manual (OSSTMM) provides a methodology for the accurate characterization of operational security (OpSec) through examination and correlation of test results in a consistent way. It is one of the most complete and commonly used professional standards in security audits to review the security of systems from the internet. The version used in this section is OSSTMM 3.0, published on December 14, 2010.

Definitions

DefinitionRequirements
8_5_2. Physical security (access verification) - Authentication
257. Access based on user credentials
8_7_2. Physical security (controls verification) - Confidentiality
335. Define out of band token lifespan
8_7_4. Physical security (controls verification) - Integrity
232. Require equipment identity
9_1_1. Wireless security (posture review) - Policy
331. Guarantee legal compliance
9_2_2. Wireless security (logistics) - Communications
181. Transmit data using secure protocols
206. Configure communication protocols
9_3_1. Wireless security (active detection verification) - Channel monitoring
266. Disable insecure functionalities
378. Use of log management system
9_4_1. Wireless security (visibility audit) - Interception
249. Locate access points
320. Avoid client-side control enforcement
9_5_3. Evaluate configuration, authentication and encryption of wireless networks
248. SSID without dictionary words
254. Change SSID name
9_5_4. Wireless security (access verification) - Authentication
153. Out of band transactions
229. Request access credentials
319. Make authentication options equally secure
9_5_5. Wireless security (access verification) - Access control
250. Manage access points
9_7_3. Wireless security (controls verification) - Privacy
250. Manage access points
255. Allow access only to the necessary ports
9_7_4. Wireless security (controls verification) - Integrity
252. Configure key encryption
336. Disable insecure TLS versions
9_9_1. Wireless security (configuration verification) - Common errors
132. Passphrases with at least 4 words
133. Passwords with at least 20 characters
237. Ascertain human interaction
327. Set a rate limit
9_9_2. Wireless security (configuration verification) - Configuration controls
062. Define standard configurations
9_15_2. Wireless security (privileges audit) - Authorization
096. Set user's required privileges
9_15_3. Wireless security (privileges audit) - Escalation
035. Manage privilege modifications
9_17_2. Wireless security (alert and log review) - Storage and retrieval
075. Record exceptional events in logs
377. Store logs based on valid regulation
10_2_1. Telecommunications security (logistics) - Framework
262. Verify third-party components
10_3_1. Telecommunications security (active detection verification) - Monitoring
075. Record exceptional events in logs
262. Verify third-party components
10_5_2. Telecommunications security (access verification) - Services
262. Verify third-party components
273. Define a fixed security suite
353. Schedule firmware updates
10_5_3. Telecommunications security (access verification) - Authentication
142. Change system default credentials
264. Request authentication
319. Make authentication options equally secure
334. Avoid knowledge-based authentication
10_7_2. Telecommunications security (controls verification) - Confidentiality
024. Transfer information using session objects
147. Use pre-existent mechanisms
224. Use secure cryptographic mechanisms
10_7_3. Telecommunications security (controls verification) - Privacy
336. Disable insecure TLS versions
338. Implement perfect forward secrecy
10_7_4. Telecommunications security (controls verification) - Integrity
330. Verify Subresource Integrity
10_9_3. Telecommunications security (configurations verification) - Configuration errors
154. Eliminate backdoors
155. Application free of malicious code
10_15_2. Telecommunications security (privileges audit) - Authorization
095. Define users with privileges
11_3_1. Data networks security (active detection verification) - Filtering
041. Scan files for malicious code
115. Filter malicious emails
258. Filter website content
11_5_3. Data networks security (access verification) - Authentication
126. Set a password regeneration mechanism
319. Make authentication options equally secure
11_6_2. Data networks security (trust verification) - Pishing
342. Validate request parameters
11_7_2. Data networks security (controls verification) - Confidentiality
062. Define standard configurations
147. Use pre-existent mechanisms
159. Obfuscate code
184. Obfuscate application data
224. Use secure cryptographic mechanisms
11_7_3. Data networks security (controls verification) - Privacy
062. Define standard configurations
185. Encrypt sensitive information
300. Mask sensitive data
336. Disable insecure TLS versions
338. Implement perfect forward secrecy
11_7_4. Data networks security (controls verification) - Integrity
062. Define standard configurations
150. Set minimum size for hash functions
224. Use secure cryptographic mechanisms
11_9_1. Data networks security - Configuration controls
062. Define standard configurations
375. Remove sensitive data from client-side applications
11_9_2. Data networks security - Common configuration errors
095. Define users with privileges
142. Change system default credentials
11_9_3. Data networks security - Limitations mapping
167. Close unused resources
221. Disconnect unnecessary input devices
322. Avoid excessive logging
11_11_1. Data networks security - Privacy containment mapping
176. Restrict system objects
177. Avoid caching and temporary files
185. Encrypt sensitive information
329. Keep client-side storage without sensitive data
339. Avoid storing sensitive files in the web root
11_11_2. Data networks security (segregation review) - Disclosure
176. Restrict system objects
11_13_1. Data networks security - Business grinding
249. Locate access points
300. Mask sensitive data
11_15_3. Data networks security (privileges audit) - Escalation
033. Restrict administrative access
305. Prioritize token usage
11_17_2. Data networks security (alert and log review) - Storage and retrieval
080. Prevent log modification
376. Register severity level
377. Store logs based on valid regulation
free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.