nerdexam
EC-Council

312-50V10 · Question #543

When comparing the testing methodologies of Open Web Application Security Project (OWASP) and Open Source Security Testing Methodology Manual (OSSTMM) the main difference is

The correct answer is D. OSSTMM addresses controls and OWASP does not.. OSSTMM formally quantifies and addresses operational security controls through its RAV framework, whereas OWASP focuses on identifying specific web application vulnerabilities without providing an equivalent controls measurement methodology.

Information Security and Ethical Hacking Fundamentals

Question

When comparing the testing methodologies of Open Web Application Security Project (OWASP) and Open Source Security Testing Methodology Manual (OSSTMM) the main difference is

Options

  • AOWASP is for web applications and OSSTMM does not include web applications.
  • BOSSTMM is gray box testing and OWASP is black box testing.
  • COWASP addresses controls and OSSTMM does not.
  • DOSSTMM addresses controls and OWASP does not.

How the community answered

(52 responses)
  • A
    8% (4)
  • B
    4% (2)
  • C
    13% (7)
  • D
    75% (39)

Why each option

OSSTMM formally quantifies and addresses operational security controls through its RAV framework, whereas OWASP focuses on identifying specific web application vulnerabilities without providing an equivalent controls measurement methodology.

AOWASP is for web applications and OSSTMM does not include web applications.

OSSTMM covers a broad range of channels including data networks, telecommunications, and human factors, so web application testing is within its scope; it is not limited to non-web environments.

BOSSTMM is gray box testing and OWASP is black box testing.

The distinction between OSSTMM and OWASP is not defined by gray box versus black box testing approaches, as both methodologies can be applied under various knowledge levels depending on the engagement.

COWASP addresses controls and OSSTMM does not.

This reverses the correct relationship; OSSTMM is the methodology that formally addresses and quantifies security controls, not OWASP.

DOSSTMM addresses controls and OWASP does not.Correct

OSSTMM (Open Source Security Testing Methodology Manual) includes a structured controls framework built around operational security metrics and Risk Assessment Values (RAVs), which measure the effectiveness of security controls in place across various channels. OWASP, by contrast, is primarily a guide for discovering and remediating specific vulnerability classes in web applications and does not provide a formal methodology for measuring or quantifying security controls. This distinction in scope - vulnerability identification versus controls assessment - is the core difference between the two frameworks.

Concept tested: OWASP vs OSSTMM methodology scope and controls framework

Source: https://www.isecom.org/OSSTMM.3.pdf

Topics

#OWASP#OSSTMM#security testing methodology#controls

Community Discussion

No community discussion yet for this question.

Full 312-50V10 Practice