nerdexam
EC-Council

312-50V11 · Question #543

When comparing the testing methodologies of Open Web Application Security Project (OWASP) and Open Source Security Testing Methodology Manual (OSSTMM) the main difference is

The correct answer is D. OSSTMM addresses controls and OWASP does not.. The key distinction between OWASP and OSSTMM is that OSSTMM provides a quantitative controls framework (including the Risk Assessment Value metric), while OWASP's testing guide focuses on identifying vulnerabilities without defining a security controls model.

Information Security and Ethical Hacking Fundamentals

Question

When comparing the testing methodologies of Open Web Application Security Project (OWASP) and Open Source Security Testing Methodology Manual (OSSTMM) the main difference is

Options

  • AOWASP is for web applications and OSSTMM does not include web applications.
  • BOSSTMM is gray box testing and OWASP is black box testing.
  • COWASP addresses controls and OSSTMM does not.
  • DOSSTMM addresses controls and OWASP does not.

How the community answered

(27 responses)
  • A
    7% (2)
  • B
    4% (1)
  • C
    15% (4)
  • D
    74% (20)

Why each option

The key distinction between OWASP and OSSTMM is that OSSTMM provides a quantitative controls framework (including the Risk Assessment Value metric), while OWASP's testing guide focuses on identifying vulnerabilities without defining a security controls model.

AOWASP is for web applications and OSSTMM does not include web applications.

OSSTMM's scope includes telecommunications, networks, and web applications, so it is incorrect that it excludes web applications.

BOSSTMM is gray box testing and OWASP is black box testing.

OSSTMM is not defined as gray box testing - it supports and defines multiple testing modes including blind (black box) and double-blind approaches, making this characterization inaccurate.

COWASP addresses controls and OSSTMM does not.

This reverses the actual relationship - it is OSSTMM that addresses controls, not OWASP, so this answer has the frameworks backwards.

DOSSTMM addresses controls and OWASP does not.Correct

OSSTMM v3 explicitly defines operational controls - interactive, process, and detection controls - and provides the Risk Assessment Value (RAV) as a metric to measure the effectiveness of those controls. OWASP's Web Security Testing Guide is a vulnerability-centric methodology focused on test cases for discovering weaknesses in web applications, but it does not define or measure security controls in the structured, quantitative way OSSTMM does. This controls-vs-vulnerabilities focus is the primary methodological difference between the two frameworks.

Concept tested: OWASP vs OSSTMM methodology comparison

Source: https://www.isecom.org/OSSTMM.3.pdf

Topics

#OWASP#OSSTMM#testing methodologies#security controls

Community Discussion

No community discussion yet for this question.

Full 312-50V11 Practice