312-50V11 · Question #543
When comparing the testing methodologies of Open Web Application Security Project (OWASP) and Open Source Security Testing Methodology Manual (OSSTMM) the main difference is
The correct answer is D. OSSTMM addresses controls and OWASP does not.. The key distinction between OWASP and OSSTMM is that OSSTMM provides a quantitative controls framework (including the Risk Assessment Value metric), while OWASP's testing guide focuses on identifying vulnerabilities without defining a security controls model.
Question
When comparing the testing methodologies of Open Web Application Security Project (OWASP) and Open Source Security Testing Methodology Manual (OSSTMM) the main difference is
Options
- AOWASP is for web applications and OSSTMM does not include web applications.
- BOSSTMM is gray box testing and OWASP is black box testing.
- COWASP addresses controls and OSSTMM does not.
- DOSSTMM addresses controls and OWASP does not.
How the community answered
(27 responses)- A7% (2)
- B4% (1)
- C15% (4)
- D74% (20)
Why each option
The key distinction between OWASP and OSSTMM is that OSSTMM provides a quantitative controls framework (including the Risk Assessment Value metric), while OWASP's testing guide focuses on identifying vulnerabilities without defining a security controls model.
OSSTMM's scope includes telecommunications, networks, and web applications, so it is incorrect that it excludes web applications.
OSSTMM is not defined as gray box testing - it supports and defines multiple testing modes including blind (black box) and double-blind approaches, making this characterization inaccurate.
This reverses the actual relationship - it is OSSTMM that addresses controls, not OWASP, so this answer has the frameworks backwards.
OSSTMM v3 explicitly defines operational controls - interactive, process, and detection controls - and provides the Risk Assessment Value (RAV) as a metric to measure the effectiveness of those controls. OWASP's Web Security Testing Guide is a vulnerability-centric methodology focused on test cases for discovering weaknesses in web applications, but it does not define or measure security controls in the structured, quantitative way OSSTMM does. This controls-vs-vulnerabilities focus is the primary methodological difference between the two frameworks.
Concept tested: OWASP vs OSSTMM methodology comparison
Source: https://www.isecom.org/OSSTMM.3.pdf
Topics
Community Discussion
No community discussion yet for this question.