OSSTMM3

Summary

The Open Source Security Testing Methodology Manual (OSSTMM) provides a methodology for the accurate characterization of operational security (OpSec) through examination and correlation of test results in a consistent way. It is one of the most complete and commonly used professional standards in security audits to review the security of systems from the internet. The version used in this section is OSSTMM 3.0, published on December 14, 2010.

Definitions

Definition	Requirements
OSSTMM3-8_5_2. Physical security (access verification) - Authentication	257. Access based on user credentials
OSSTMM3-8_7_2. Physical security (controls verification) - Confidentiality	335. Define out of band token lifespan
OSSTMM3-8_7_4. Physical security (controls verification) - Integrity	232. Require equipment identity
OSSTMM3-9_1_1. Wireless security (posture review) - Policy	331. Guarantee legal compliance
OSSTMM3-9_2_2. Wireless security (logistics) - Communications	181. Transmit data using secure protocols 206. Configure communication protocols
OSSTMM3-9_3_1. Wireless security (active detection verification) - Channel monitoring	266. Disable insecure functionalities 378. Use of log management system
OSSTMM3-9_4_1. Wireless security (visibility audit) - Interception	249. Locate access points 320. Avoid client-side control enforcement
OSSTMM3-9_5_3. Evaluate configuration, authentication and encryption of wireless networks	248. SSID without dictionary words 254. Change SSID name
OSSTMM3-9_5_4. Wireless security (access verification) - Authentication	153. Out of band transactions 229. Request access credentials 319. Make authentication options equally secure
OSSTMM3-9_5_5. Wireless security (access verification) - Access control	250. Manage access points
OSSTMM3-9_7_3. Wireless security (controls verification) - Privacy	250. Manage access points 255. Allow access only to the necessary ports
OSSTMM3-9_7_4. Wireless security (controls verification) - Integrity	252. Configure key encryption 336. Disable insecure TLS versions
OSSTMM3-9_9_1. Wireless security (configuration verification) - Common errors	132. Passphrases with at least 4 words 133. Passwords with at least 20 characters 237. Ascertain human interaction 327. Set a rate limit
OSSTMM3-9_9_2. Wireless security (configuration verification) - Configuration controls	062. Define standard configurations
OSSTMM3-9_15_2. Wireless security (privileges audit) - Authorization	096. Set user's required privileges
OSSTMM3-9_15_3. Wireless security (privileges audit) - Escalation	035. Manage privilege modifications
OSSTMM3-9_17_2. Wireless security (alert and log review) - Storage and retrieval	377. Store logs based on valid regulation 075. Record exceptional events in logs
OSSTMM3-10_2_1. Telecommunications security (logistics) - Framework	262. Verify third-party components
OSSTMM3-10_3_1. Telecommunications security (active detection verification) - Monitoring	262. Verify third-party components 075. Record exceptional events in logs
OSSTMM3-10_5_2. Telecommunications security (access verification) - Services	262. Verify third-party components 273. Define a fixed security suite 353. Schedule firmware updates
OSSTMM3-10_5_3. Telecommunications security (access verification) - Authentication	142. Change system default credentials 264. Request authentication 319. Make authentication options equally secure 334. Avoid knowledge-based authentication
OSSTMM3-10_7_2. Telecommunications security (controls verification) - Confidentiality	147. Use pre-existent mechanisms 224. Use secure cryptographic mechanisms 024. Transfer information using session objects
OSSTMM3-10_7_3. Telecommunications security (controls verification) - Privacy	336. Disable insecure TLS versions 338. Implement perfect forward secrecy
OSSTMM3-10_7_4. Telecommunications security (controls verification) - Integrity	330. Verify Subresource Integrity
OSSTMM3-10_9_3. Telecommunications security (configurations verification) - Configuration errors	154. Eliminate backdoors 155. Application free of malicious code
OSSTMM3-10_15_2. Telecommunications security (privileges audit) - Authorization	095. Define users with privileges
OSSTMM3-11_3_1. Data networks security (active detection verification) - Filtering	115. Filter malicious emails 258. Filter website content 041. Scan files for malicious code
OSSTMM3-11_5_3. Data networks security (access verification) - Authentication	126. Set a password regeneration mechanism 319. Make authentication options equally secure
OSSTMM3-11_6_2. Data networks security (trust verification) - Pishing	342. Validate request parameters
OSSTMM3-11_7_2. Data networks security (controls verification) - Confidentiality	147. Use pre-existent mechanisms 159. Obfuscate code 184. Obfuscate application data 224. Use secure cryptographic mechanisms 062. Define standard configurations
OSSTMM3-11_7_3. Data networks security (controls verification) - Privacy	185. Encrypt sensitive information 300. Mask sensitive data 336. Disable insecure TLS versions 338. Implement perfect forward secrecy 062. Define standard configurations
OSSTMM3-11_7_4. Data networks security (controls verification) - Integrity	150. Set minimum size for hash functions 224. Use secure cryptographic mechanisms 062. Define standard configurations
OSSTMM3-11_9_1. Data networks security - Configuration controls	375. Remove sensitive data from client-side applications 062. Define standard configurations
OSSTMM3-11_9_2. Data networks security - Common configuration errors	142. Change system default credentials 095. Define users with privileges
OSSTMM3-11_9_3. Data networks security - Limitations mapping	167. Close unused resources 221. Disconnect unnecessary input devices 322. Avoid excessive logging
OSSTMM3-11_11_1. Data networks security - Privacy containment mapping	176. Restrict system objects 177. Avoid caching and temporary files 185. Encrypt sensitive information 329. Keep client-side storage without sensitive data 339. Avoid storing sensitive files in the web root
OSSTMM3-11_11_2. Data networks security (segregation review) - Disclosure	176. Restrict system objects
OSSTMM3-11_13_1. Data networks security - Business grinding	249. Locate access points 300. Mask sensitive data
OSSTMM3-11_15_3. Data networks security (privileges audit) - Escalation	305. Prioritize token usage 033. Restrict administrative access
OSSTMM3-11_17_2. Data networks security (alert and log review) - Storage and retrieval	376. Register severity level 377. Store logs based on valid regulation 080. Prevent log modification

Last updated

2023/09/18