Open Source Security Testing Methodology Manual (OSSTMM)

Introduction

The OSSTMM (Open Source Security Testing Methodology Manual) is a publicly available standard for conducting security testing. It is developed and maintained by ISECOM (Institute for Security and Open Methodologies).

Unlike many other frameworks, OSSTMM follows a highly formalized approach. Its goal is to make security measurable and comparable, rather than purely descriptive. It is not limited to web applications but provides a holistic view across multiple security domains.

The official documentation is available at:
https://www.isecom.org/OSSTMM.3.pdf

Objectives

• Provide a scientific and structured testing methodology
• Enable measurable and comparable security assessments
• Standardize security testing approaches
• Separate objective findings from subjective interpretation

Structure of OSSTMM

OSSTMM is structured around security channels:

Human Security Channel
- Social engineering
- Security awareness
- Organizational weaknesses

Physical Security Channel
- Physical access controls
- Surveillance systems
- Physical system access

Wireless Security Channel
- Wi-Fi security
- Bluetooth and radio technologies
- Unsecured wireless communications

Telecommunications Security Channel
- VoIP systems
- Telephony infrastructure
- Communication networks

Data Networks Security Channel
- Networks
- Servers
- Applications

Methodology

OSSTMM introduces measurable concepts such as:

• Trust
• Controls
• Limitations
• Interactions

A key metric is the RAV (Risk Assessment Value), which aims to quantify the security level of a system.

The methodology emphasizes:

• reproducibility
• objectivity
• clear separation of data and interpretation

Practical Relevance

In practice, OSSTMM is recognized as a structured and academically influenced framework. It is primarily used in contexts where formal, reproducible, and theoretically grounded security assessments are required.

However, it is rarely applied in its entirety in real-world engagements. Most organizations use it as a conceptual reference rather than a fully implemented methodology.

Limitations

OSSTMM has significant limitations in practical application. A major criticism is its strong theoretical and academic nature. The framework resembles a scientific model for describing and measuring security rather than a practical guide for conducting penetration tests.

The complexity of its concepts and metrics makes it difficult to apply in real-world scenarios. Fully implementing the methodology across all defined channels is uncommon due to time and budget constraints.

Additionally, the framework lacks practical, actionable testing guidance. Testers often need to rely on other, more pragmatic methodologies for execution.

Finally, the emphasis on quantification can create a false sense of precision. Many aspects of security cannot be fully measured, and the resulting metrics may not accurately reflect real-world risk.