OSSTMM – A Penetration Testing Methodology

OSSTMM – A Penetration Testing Methodology - Securium solutions

In this article we will get to know about OSSTMM and penetration testing methodologies. So without any delays, lets start.

What is penetration testing?

Penetration testing is known by many names such as pen testing, and hacking. It’s a process of testing the security of a system, web, network, app, device in-order to find threats and vulnerabilities, try to exploit them, just like an attacker, and measure the risk. The pen test could be remote or on-site, depending on the type being performed. Also, it could be black, white or gray box. The results of a pen test can be used to show its compliance to certain standards, assure 3rd parties that their data with you is safe, how security aware your employees are, and if the organization can identify, respond and recover from an incident.

OSSTMM – A Penetration Testing Methodology - Securium Solutions

Welcome to the world of OSSTMM

Open-Source Security Testing Methodology Manual aka OSSTMM, is just what its name implies, it is open source meaning its methodologies are peer – reviewed by experts around the world and free to download and implement. And it has various methodologies for security testing.

Alternatives to OSSTMM are OWASP, NIST, PTES and ISSAF.

To download the latest version of OSSTMM, go to the following link :

Its updated almost every 6 months and maintained by ISECOM (Institute for Security and Open Methodologies). OSSTMM tests the operational security of 5 channels, mentioned below, so organizations can understand the full extent of their security and determine how well their security processes actually function.

  • Human Security: Security of human interaction and communication is evaluated operationally as a means of testing
  • Physical Security: OSSTMM tests physical security defined as any tangible element of security that takes physical effort to operate
  • Wireless Communications: Electronic communications, signals, and emanations are all considered wireless communications that are part of the operational security testing.
  • Telecommunications: Whether the telecommunication network is digital or analog, any communication conducted over telephone or network lines are tested in the OSSTMM
  • Data Networks: Security testing of data networks includes electronic systems and data networks that are used for communication or interaction via cable and wired network lines

Other than these 5, OSSTMM also covers things like:

  • Security: Security is a function of separation between asset and threat while considering porosity.
  • Controls: Controls provide safety when threat is everywhere, using concepts of authorization and identification.
  • Compliance: its different from security wherein a system can be safe yet non-compliant.
  • Rules of engagements: This defines the operational guidelines of acceptable practices while engaging with clients.
  • Error Handling: It focuses on accounting for errors by analyst and explaining about various error types.
  • Disclosure: Tells how to handle previously unknown or non-publicized security limitations of client.
  • Reporting: Informs that analyst should report what has been found with certainty and not merely what could be.
  • RAV: Its a scale measurement of the attack surface. There’s also discussion on how to calculate rav, and its usage.
  • STAR: It serves as an executive summary of precise calculation stating the Attack Surface of the targets.


OSSTMM is a great open-source initiative for professionals as well as penetration testers to get to know industry standards. There are other alternatives also which you can have a look at depending on your client or personal preference.


Vishal Thakur

Network Security Analyst Intern

Table of Contents

Social Media