OSSTMM (Open Source Security Testing Methodology Manual) metrics provide standardized measurements for security testing and analysis.
The OSSTMM framework breaks down security metrics into measurable elements called RAVs (Risk Assessment Values).
Key OSSTMM Metrics Components:
- Operational Security Metrics (OpSec)
- Visibility
- Access
- Trust
Core Security Measurements:
| Metric Type | Description |
|---|---|
| Porosity | Measures the total number of findings in scope |
| Controls | Measures interactive security mechanisms |
| Limitations | Measures security boundaries and restrictions |
Calculating Security Metrics:
- True Protection = Controls + Limitations – Porosity
- Attack Surface = Porosity + Controls + Limitations
- Missing Controls = Total Possible Controls – Actual Controls
Practical Implementation Tips:
Start by mapping all visible assets and access points in the target environment.
Document all security controls, including both technical and operational measures.
Calculate the actual security metrics using OSSTMM worksheets or automated tools like ISECOM’s calculators.
Common Measurement Areas:
- Physical Security
- Wireless Communications
- Telecommunications
- Data Networks
- Human Security
Security testers should maintain detailed logs of all measurements for accurate metric calculation.
Regular validation of metrics ensures the testing methodology remains effective and current.
Tools for OSSTMM Metrics:
- OSSTMM Calculator (Free from ISECOM)
- RAV Calculator Spreadsheets
- Security Testing Documentation Templates
For more information and resources, contact ISECOM or visit their official website.
Pro Tip: Always verify metrics across multiple test runs to ensure consistency and accuracy.
Testing Process Integration
Documentation Requirements:
- Test Scope Definition
- Assessment Boundaries
- Testing Methodologies Used
- Raw Data Collection Methods
Quality Assurance Steps:
- Metric Validation Procedures
- Cross-Reference Testing
- Peer Review Process
- Data Integrity Checks
Advanced Metric Analysis
Trend Analysis:
| Analysis Type | Purpose |
|---|---|
| Historical Comparison | Track security posture changes over time |
| Benchmark Analysis | Compare metrics against industry standards |
| Gap Analysis | Identify areas needing improvement |
Conclusion
OSSTMM metrics provide a standardized framework for security measurement and analysis. Proper implementation requires:
- Consistent measurement methodologies
- Regular validation of results
- Proper documentation of all testing procedures
- Continuous monitoring and updates of security controls
Organizations should integrate OSSTMM metrics into their regular security assessment cycles for optimal results.
Final Tip: Review and update testing procedures quarterly to maintain effectiveness and relevance.
FAQs
- What is OSSTMM and what are its primary metrics?
OSSTMM (Open Source Security Testing Methodology Manual) metrics are quantitative measurements used in security testing. The primary metrics include RAV (Risk Assessment Value), True Controls, Missing Controls, and Operational Security measurements across the security sections of HUMSEC (Human Security), PHYSSEC (Physical Security), SPECSEC (Spectrum Security), COMSEC (Communications Security), and DATASEC (Data Networks Security). - How is the RAV (Risk Assessment Value) calculated in OSSTMM?
RAV is calculated by measuring the attack surface, known as porosity (number of inputs, outputs, and interactions), along with the controls (limitations, security, and countermeasures) and operational security elements. The formula considers both positive and negative security controls to provide a numerical value representing the actual security level. - What are True Controls in OSSTMM metrics?
True Controls are verified security measures that actively contribute to security without causing additional attack surface or vulnerabilities. They are categorized into Authentication, Indemnification, Subjugation, Continuity, Resilience, and Non-Repudiation controls. - How does OSSTMM measure Missing Controls?
Missing Controls are calculated by identifying gaps in the 10 security control categories: Authentication, Indemnification, Resilience, Subjugation, Continuity, Non-Repudiation, Confidentiality, Privacy, Integrity, and Alarm. Each missing control increases the overall attack surface. - What is the significance of Operational Security measurements in OSSTMM?
Operational Security measurements evaluate the effectiveness of security processes and procedures in actual operation. They include visibility, access, trust, authentication, and indemnification measurements to determine how well security controls function in real-world scenarios. - How does OSSTMM handle scope definition in security metrics?
OSSTMM defines scope through vector mapping, which includes identifying all channels, indices, and vectors within the test environment. This creates a comprehensive map of all possible attack surfaces and interaction points that need to be measured and tested. - What role do Loss Controls play in OSSTMM metrics?
Loss Controls measure the effectiveness of mechanisms that limit or prevent losses during security incidents. They include limitations, security awareness, access controls, accountability, and alarm systems that help minimize potential damage from security breaches. - How are Security Controls verified in OSSTMM testing?
Security Controls verification in OSSTMM involves testing each control against specific criteria for effectiveness, including interactive testing, process testing, and configuration review. Controls must demonstrate actual protection rather than theoretical security to be counted in the metrics. - What is the purpose of Trust Metrics in OSSTMM?
Trust Metrics measure the degree of trust relationships between systems, processes, and personnel. They evaluate how trust boundaries are established, maintained, and potentially exploited, helping identify areas where excessive trust might create security vulnerabilities. - How does OSSTMM measure security compliance?
OSSTMM measures compliance through a combination of operational security metrics and control verification. It provides a score called the Security Test Audit Report (STAR) that indicates how well security implementations align with required standards and best practices.
