The Open Source Security Testing Methodology Manual (OSSTMM) provides structured modules for conducting thorough security assessments and penetration tests.
Core OSSTMM Testing Modules
- Physical Security Testing (PHYSSEC)
- Access controls
- Security awareness
- Surveillance systems
- Physical barriers
- Environmental controls
- Human Security Testing (HUMSEC)
- Social engineering assessment
- Personnel security procedures
- Security awareness evaluation
- Trust verification
- Wireless Security Testing (SPECSEC)
- Electromagnetic radiation
- Wireless networks (WiFi)
- Bluetooth connections
- RFID systems
- Infrared devices
- Telecommunications Testing (COMSEC)
- Voice communications
- PBX systems
- Voicemail testing
- Modem connections
- FoIP/VoIP systems
- Data Networks Testing (DATASEC)
- Network mapping
- Port scanning
- Service identification
- Vulnerability assessment
- Configuration review
Implementation Tips
Each module should be executed independently to maintain testing clarity and accuracy.
Document all findings using the STAR methodology (Situation, Task, Action, Result).
Use appropriate tools for each module – examples include Nmap for DATASEC, WiFi analyzers for SPECSEC, and social engineering frameworks for HUMSEC.
Common Tools by Module
| Module | Recommended Tools |
|---|---|
| PHYSSEC | Lock picking sets, RFID cloners, security cameras |
| HUMSEC | Social-Engineer Toolkit (SET), Maltego, OSINT tools |
| SPECSEC | Aircrack-ng, Kismet, WiFite, Bluetooth scanners |
| COMSEC | VoIP scanners, Wireshark, SIPVicious |
| DATASEC | Nmap, Metasploit, Nessus, OpenVAS |
Reporting Standards
- Include clear metrics for each test performed
- Document methodologies and tools used
- Provide evidence for findings
- List specific vulnerabilities identified
- Recommend practical remediation steps
For additional information and updates, visit the official OSSTMM website at ISECOM.org.
Contact your local ISECOM certified trainer for official OSSTMM training and certification options.
Testing Process Flow
The OSSTMM testing process follows a structured approach across all modules:
- Scope Definition
- Intelligence Gathering
- Testing Execution
- Analysis & Documentation
- Reporting & Recommendations
Best Practices
- Maintain clear separation between testing modules
- Establish proper authorization before testing
- Document all exceptions and limitations
- Follow local legal requirements
- Maintain confidentiality of findings
Testing Frequency
- PHYSSEC: Quarterly assessments
- HUMSEC: Bi-annual evaluations
- SPECSEC: Monthly scans
- COMSEC: Quarterly reviews
- DATASEC: Monthly automated scans, quarterly manual testing
Conclusion
OSSTMM provides a comprehensive framework for security testing across multiple domains. Successful implementation requires:
- Structured approach to all testing modules
- Proper documentation and evidence collection
- Regular updates to testing methodologies
- Continuous tool evaluation and improvement
- Adherence to professional standards and ethics
Organizations should integrate OSSTMM with other security frameworks for optimal security posture management.
FAQs
- What are the main testing modules in OSSTMM?
The main modules are Human Security Testing (HST), Physical Security Testing (PhyST), Wireless Security Testing (WST), Telecommunications Security Testing (TST), Data Networks Security Testing (DNST), and Compliance Testing. - What is the purpose of the Human Security Testing module?
The Human Security Testing module evaluates human elements including social engineering, psychological manipulation, fraud, personnel security procedures, security awareness, and trust testing. - What does the Physical Security Testing module cover?
Physical Security Testing examines physical barriers, access controls, security systems, perimeter defenses, monitoring systems, alarm systems, and physical security processes and procedures. - What aspects are tested in the Wireless Security Testing module?
WST evaluates electromagnetic communications, wireless networks (WiFi), Bluetooth, RFID, infrared systems, and other wireless technologies operating in the electromagnetic spectrum. - What does Telecommunications Security Testing assess?
TST assesses telecommunications networks, including telephone systems, voicemail, PBX systems, modem communications, VoIP, and telecommunications infrastructure security. - What is included in Data Networks Security Testing?
DNST examines electronic systems, network protocols, communication methods, network services, operating systems, remote access systems, and security mechanisms within the network infrastructure. - How does Compliance Testing fit into OSSTMM?
Compliance Testing verifies adherence to security policies, industry standards, regulations, and legal requirements, ensuring the organization meets required security controls and practices. - What metrics does OSSTMM use to measure security?
OSSTMM uses RAVs (Risk Assessment Values), which include measurements of porosity, controls, limitations, visibility, access, trust, and operational security to calculate security metrics. - How are test results quantified in OSSTMM?
Results are quantified through security metrics called ravs (risk assessment values), which provide a mathematical representation of the actual security level compared to the required security level. - What is the key difference between OSSTMM and other security testing methodologies?
OSSTMM focuses on operational security testing and measurable results rather than just vulnerability identification, providing a scientific approach to security testing with repeatable results.
