From MRL Wiki
Open Source Security Testing Methodology Manual (OSSTMM) is a security evaluation methodology geared toward the needs of auditors and penetration testers. It provides a clear methodology for calculating security metrics (Risk Assessment Values) to illustrate the state of security.
 Security Map
OSSTMM defines The Security Map which is a visual representation of six different types of security tests distinguished in the methodology. The six sections are:
- Information Security
- Process Security
- Internet Technology Security
- Communications Security
- Wireless Security
- Physical Security
Each section is further subdivided into modules representing the flow of the methodology from one security presence point to the other. For example, section Physical Security contains the following modules:
- Posture Review
- Access Controls Testing
- Perimeter Review
- Monitoring Review
- Alarm Response Review
- Location Review
- Environment Review.
Each module contains specific tasks that should be performed to evaluate the security of each individual module. According to the methodology, all modules have input (information used in performing each task) and output (intelligence gathered). However, under certain conditions modules may not produce any output at all such as the case where the module is not applicable. For example, module Perimeter Review contains the following tasks:
- Map physical perimeter
- Map physical protective measures (fences, gates, lights, etc.)
- Map physical access routes / methods
- Map unmonitored areas
 Security Metrics
The metrics themselves are collected during the testing process where various variables are recorded and later used in the final calculation of Actual Security Risk Assessment Value (RAV) which is the overall security score.
Scope is defined as the number of items that need to be tested from a given vantage point.
There are three different classes of variables used in calculation of Actual Security RAV:
- Operational Security (OPSEC) - defined by visibility, trusts, and accesses
- Controls - Impact and loss reduction controls. There are 10 controls, 5 interaction controls and 5 procedures controls.
- Limitations - the current state of perceived and known limits for channels, operations, and controls as verified by the audit.
 Operational Security
Operational Security (OPSEC) is the measurement of visibility, trust and access from the scope:
- Visibility - the number of targets in the scope that can be determined to exist.
- Trust - the number of targets in the scope allowing unauthenticated interaction.
- Access - the number of interaction points with each target in the scope
- Authentication - the number of instances in the scope of authentication required to gain access.
- Indemnification - the number of methods used to exact liability and insure compensation for all assets within the scope.
- Subjugation - the number of instances for access or trust in the scope which strictly does not allow for controls to follow user discretion or originate outside itself.
- Continuity - the number of instances for access or trust in the scope which assures that no interruption in interaction over the channel and vector can be caused even under situations of total failure.
- Resistance - the number of instances for access or trust in the scope that does not fail open and without protection or provide new accesses upon a security failure.
- Non-repudiation - the number of instances for access or trust that provides a non-repudiation mechanism for each interaction to provide assurance that the particular interaction did occur at a particular time between the identified parties.
- Confidentiality - the number of instances for access or trust in the scope that provides the means to maintain the content of interactions undisclosed between the interacting points.
- Privacy - the number of instances for access or trust in the scope that provides the means to maintain the method of interactions undisclosed between the interacting parties.
- Integrity - the number of instances for access or trust in the scope which can assure that the interaction process and access to assets has finality and cannot be corrupted, hanged, continued, redirected, or reversed without it being known to the parties involved.
- Alarm - the number of instances for access or trust which has a record or makes a notification when unauthorized and unintended prosity increases for the vector or restrictions and controls are compromised or corrupted.
- Vulnerability - count separately each flaw or error that defies protections whereby a person or process can access, deny access to others, or hide itself or assets within the scope.
- Weakness - count each flaw or error in the controls for interactivity: authentication, indemnification, resistance, subjugation, and continuity.
- Concern - count each flaw or error in process controls: non-repudiation, confidentiality, privacy, integrity, and alarm.
- Exposure - count each unjustifiable action, flaw, or error that provides direct or indirect visibility of targets or assets withing the chosen scope channel of the security presence.
- Anomaly - count each unidentifiable or unknown element which cannot be accounted for in normal operations, generally when the source or destination of the element cannot be understood.
 Actual Security
- Actual Delta - sum of Op Sec Delta and Loss Controls Delta and subtracting the Security Limitations Delta.
- Actual Security Total - true state of security provided as a hash of all three sections and represented in a percentage where 100% represents a balance of controls for interaction points to assets with no limitations.