312-50V10 · Question #543
When comparing the testing methodologies of Open Web Application Security Project (OWASP) and Open Source Security Testing Methodology Manual (OSSTMM) the main difference is
The correct answer is D. OSSTMM addresses controls and OWASP does not.. OSSTMM formally quantifies and addresses operational security controls through its RAV framework, whereas OWASP focuses on identifying specific web application vulnerabilities without providing an equivalent controls measurement methodology.
Question
When comparing the testing methodologies of Open Web Application Security Project (OWASP) and Open Source Security Testing Methodology Manual (OSSTMM) the main difference is
Options
- AOWASP is for web applications and OSSTMM does not include web applications.
- BOSSTMM is gray box testing and OWASP is black box testing.
- COWASP addresses controls and OSSTMM does not.
- DOSSTMM addresses controls and OWASP does not.
How the community answered
(52 responses)- A8% (4)
- B4% (2)
- C13% (7)
- D75% (39)
Why each option
OSSTMM formally quantifies and addresses operational security controls through its RAV framework, whereas OWASP focuses on identifying specific web application vulnerabilities without providing an equivalent controls measurement methodology.
OSSTMM covers a broad range of channels including data networks, telecommunications, and human factors, so web application testing is within its scope; it is not limited to non-web environments.
The distinction between OSSTMM and OWASP is not defined by gray box versus black box testing approaches, as both methodologies can be applied under various knowledge levels depending on the engagement.
This reverses the correct relationship; OSSTMM is the methodology that formally addresses and quantifies security controls, not OWASP.
OSSTMM (Open Source Security Testing Methodology Manual) includes a structured controls framework built around operational security metrics and Risk Assessment Values (RAVs), which measure the effectiveness of security controls in place across various channels. OWASP, by contrast, is primarily a guide for discovering and remediating specific vulnerability classes in web applications and does not provide a formal methodology for measuring or quantifying security controls. This distinction in scope - vulnerability identification versus controls assessment - is the core difference between the two frameworks.
Concept tested: OWASP vs OSSTMM methodology scope and controls framework
Source: https://www.isecom.org/OSSTMM.3.pdf
Topics
Community Discussion
No community discussion yet for this question.