What is the OSSTMM?
In short, the OSSTMM is a mechanism used to determine the Operational Security ("OpSec") of a target scope. OpSec is defined as the combination of "separation and controls without limitations". It is essentially a measurement of protection between assets, using a formula with a method and approach to identifying and categorizing controls (security measures) and limitations (weaknesses or vulnerabilities). What is actually measured is the "Attack Surface" of a given target, with the goal of identifying deficiencies in the protection measures in place.
What the OSSTMM is not, is a Risk Assessment methodology - rather it is a means for collecting and analyzing data to produce results sufficient to assist with risk-decisions. As "Risk" is a subjective concept (one person's opinion of it, differing from another's), the OSSTMM is a means to define and consistently measure the state of operational security so that decisions about risk can be made based on scientific data, rather than past experiences, product preference or other biased human inputs.
Nor is the OSSTMM a "Threat Analysis" methodology; rather it assumes nothing about specific threats, only the Attack Surface, and attempts to identify and measure deficiencies (limitations) in the protection of assets. It is also very repeatable and can be used to measure progress (or the lack thereof) in the security operations of any organization.
I've described this in very high-level concepts, I know - but keep all this in mind as we discuss the OSSTMM in more detail. And don't fear--if this is your first exposure to OSSTMM and you are accustomed to "Vulnerability Assessments", think of this as a beefed up version with a better action plan to boot. We'll be discussing the specifics with examples in later articles.
I mentioned earlier that back in 2005 I noticed a glimmer of the overall intent of what the OSSTMM was and has now become. A few of the original concepts are still the foundation for the OSSTMM when used in the assessment process, but some more clearly defined concepts in the upcoming version allow the OSSTMM methodology to be used in assessing the security of all sorts of things. (One specific example that I hope to get translated into English one day soon, is an analysis of the bank in relation to the Ocean's Eleven movie. The OSSTMM was used to very clearly show the bank's lack of operational security in protecting their assets.).
At any rate, here's a brief run-down of what I consider to the heart and soul of the OSSTMM.