Open Source Security Testing Methodology Manual The Open Source Security Testing Methodology Manual (OSSTMM) is a peer-reviewed methodology for performing security tests and metrics. The OSSTMM test cases are divided into five channels (sections) which collectively test: information and data controls, personnel security awareness levels, fraud and social engineering control levels, computer and telecommunications networks, wireless devices, mobile devices, physical security access controls, security processes, and physical locations such as buildings, perimeters, and military bases.
The OSSTMM focuses on the technical details of exactly which items need to be tested, what to do before, during, and after a security test, and how to measure the results. New tests for international best practices, laws, regulations, and ethical concerns are regularly added and updated.
Open Source Automated Test Tools Written in Java MaxQ is a free web functional testing tool. It includes an HTTP proxy that records your test script, and a command line utility that can be used to playback tests. The proxy recorder automatically stores variables posted to forms, so you don't have to write that stuff by hand.
The Abbot framework is a Java library for GUI unit testing and functional testing. It provides methods to reproduce user actions and examine the state of GUI components. The framework may be invoked directly from Java code or accessed without programming through the use of scripts. There are two ways of using this framework. One is to write the tests directly in Java code. The other is to use a script to control the event playback and testing, which is more suitable to integration/functional testing. A script editor is provided to facilitate the latter form of test.
Open Source Java and Web Testing Tools The selection of the best testing tool for a particular development environment is a critical success factor for the testing activities. A testing tool should be considered based on the test objectives. As a general guideline, one must investigate the appropriateness of a testing tool when the manual process is inadequate.
One of the most widely-used tools is Abbot, a framework for testing Java GUIs. Using simple XML-based scripts, we can launch a GUI, play back arbitrary user actions on it, and examine its state. It also includes a script editor (Costello) that records user actions. The framework may be invoked directly from Java code (JUnit) or accessed without programming through the use of scripts. It is suitable for use both by developers for unit tests and QA for functional testing, especially with JFC swing. This tool has an excellent development team, which constantly updates the software.
Automated Open Source Testing and Certification SpikeSource, a starry Redwood City, California, start-up providing Open Source software testing services, wants to embolden enterprises to use the Linux, Apache, MySQL, and PHP/Python/Perl (LAMP) stack (www.spikesource.com). Their goal is to certify the LAMP stack and the applications that use it. At the heart of its value proposition is an automated testing bed, which lets software vendors and Open Source projects upload their applications and verify that there are no conflicts with the stack.
SpikeSource provides these tools for free and offers tools to integrate and manage Open Source assets. SpikeSource tools such as Spike Asset Manager (SAM) have been open sourced and are on Sourceforge.
Open Source Web Testing Tools in Java HtmlUnit is a java unit testing framework for testing web based applications. It is similar in concept to
httpunit but is very different in implementation. Which one is better for you depends on how you like to write your tests. HttpUnit models the http protocol so you deal with request and response objects. HtmlUnit on the other hand, models the returned document so that you deal with pages and forms and
tables.MaxQ is a free web functional testing tool. It includes an HTTP proxy that records your test script, and a command line utility that can be used to playback tests. The proxy recorder automatically stores variables posted to forms, so you don't have to write that stuff by hand.
Open source security testing methodology
Truth is made of numbers. Following this golden rule, Federico Biancuzzi interviewed Pete Herzog, founder of ISECOM and creator of the OSSTMM, to talk about the upcoming revision 3.0 of the Open Source Security Testing Methodology Manual. He discusses why we need a testing methodology, why use open source, the value of certifications, and plans for a new vulnerability scanner developed with a different approach than Nessus.Without
a security testing methodology, the actual test tends to be all over the
place. One tester actually described this once to me as his test being
"a mess" without it. The real answer is that a methodology is
required to test anything thoroughly. As humans, we take short-cuts. We
assume we know an answer or we know what's going on because of past
experiences and we cut to the chase because time is money and all that.
Wolf Testing: Open Source Testing Software Wolf Testing is software for easily creating and editing exams. Wolf Testing allows the user to create an exam from a database of questions, view it on screen, and easily print it along with the corresponding answer guide. The questions can be multiple choice, short answer, long answer, or true and false varieties. This software can be accessed securely from any location, allowing the user to easily create exams from home. New questions, which can include associated pictures, can be added through a web-interface. After adding in questions, they can be edited, deleted, or duplicated into multiple versions. Long-term test creation is simplified, as you are able to quickly see what questions you have asked in the past and insert them, with or without editing, into future tests. All tests are archived in the database.
Written in PHP and MySQL, this software can be installed on any UNIX / Linux platform, including Macintosh OS X. The secure interface keeps students out, and allows you to decide who can create tests and who can edit information already in the database. Tests can be output as either html with pictures or rich text without pictures, and there are plans to add PDF and MS Word formats as well.
Open Source Penetration Testing Get five of Syngress's best-selling penetration testing and open source security books including the brand new Penetration Tester's Open Source Toolkit in a convenient, double CD at over 50% off the retail price of the books. This unbeatable package also includes the Security Auditor Toolkit with over 300
Pen Testing Tools on a Bootable Linux CD. CD includes the following best-selling PDF e-books:
Penetration Tester's Open Source Toolkit by Johnny Long, Chris Hurley, Sense Post, Mark Wolfgang, and Mike Petruzzi
This book provides all the information needed to start working in a great and challenging area of computer
security. Max Moser, www.remote-exploit.org
? Master the Art of Reconnaissance, Enumerating, and Writing Open Source Tools
? Use NASL Extensions, and Metasploit as an Exploitation Platform
? PenTest Enterprise Networks, Wireless Networks, Web Servers, Network Devices, and
DHS procures testing service for open-source apps The Homeland Security Department has procured a bug testing service for popular open-source programs, one that will submit applications such as Apache and MySQL to a level of scrutiny enjoyed by many commercial software providers.
Open-source project leaders could use these results to fix software defects, while agency and critical infrastructure IT shops could monitor them to evaluate or take corrective action on applications.
DHS realizes that much of the critical infrastructure runs on open source,? said David Park, co-founder and vice president of marketing and business development for software testing company
Coverts Inc. of San Francisco. ?One of the reasons DHS has been behind this is that there hasn?t been a centralized and comprehensive way of enforcing security and reliability? with many open-source projects, he said.
Linux-shy public sector gets open source test lab
A new laboratory has opened in Manchester that will allow government departments and local authorities to trial open source software in confidence in an independent test environment.
Cheshire County Council is the first public sector organisation to use the facility at the National Computing Centre's (NCC) headquarters to conduct a trial for a joint open source and proprietary desktop platform.
The laboratory is part of the national Open Source Academy project funded by the Office of the Deputy Prime Minister, which aims to accelerate the use of open source software within the public sector.
Access to the laboratory service is free for public sector bodies, who can configure the suite of test machines to their own specifications for open source evaluation trials. The NCC facility is also available by remote access.