The Open Source Security Testing Methodology Manual (OSSTMM) is a peer-reviewed, scientific framework for auditing and verifying operational security. Maintained by ISECOM, it provides a structured, measurable, and repeatable approach to testing physical, human, wireless, data network, and telecommunication security.
Key Aspects of OSSTMM:
Scientific Approach: It focuses on measuring actual security, visibility, access, and trust (VAT) rather than just listing vulnerabilities. Methodology: It covers five key channels: human security, physical security, wireless, data networks, and telecommunications. Metrics: It utilizes the RAV (Risk Assessment Value) calculator to provide quantitative, standardized metrics for measuring the attack surface. Goal: To determine the actual operational security, helping organizations understand their exposure and improve defenses. Structure: It consists of six sections: Human Security, Physical Security, Wireless Security, Telecommunications, Data Networks, and Compliance.
OSSTMM is used for penetration testing, security audits, and risk assessments to validate that security controls are functioning as intended.