Open Source Security Testing Methodology Manual (OSSTMM)

The Open Source Security Testing Methodology Manual (OSSTMM), developed by the Institute for Security and Open Methodologies (ISECOM), is a peer-reviewed methodology for performing security tests and metrics. Unlike vulnerability-focused frameworks, OSSTMM takes a scientific approach to security testing by defining measurable security metrics through its Risk Assessment Values (RAV) system. The methodology organizes security testing across five channels: Human Security, Physical Security, Wireless Communications, Telecommunications, and Data Networks. OSSTMM emphasizes measuring actual security rather than perceived security, focusing on attack surface quantification and the effectiveness of controls rather than simply cataloging vulnerabilities.

Why It Matters

OSSTMM distinguishes itself from other methodologies by providing a quantitative framework for security measurement. While most penetration testing methodologies produce findings lists ranked by severity, OSSTMM’s RAV system calculates an actual security metric based on the relationship between attack surface (porosity), the controls in place (limitations), and the operational state of those controls. This quantitative approach is particularly valuable for organizations that need to track security posture over time, compare security across different business units, or justify security investments to executive leadership with data rather than anecdotes. OSSTMM also explicitly addresses trust analysis, examining how trust relationships between systems and people create exploitable pathways.

For example, an OSSTMM assessment of a financial trading platform does not just identify that a firewall rule allows unnecessary traffic. It quantifies the attack surface exposure, evaluates the detection and response controls in place, and produces a RAV score that concretely measures whether the overall security posture has improved or degraded compared to the previous assessment period.

How Revaizor Handles This

Revaizor incorporates OSSTMM’s philosophy of measurable security into its platform through quantitative security metrics that track attack surface changes over time. The platform’s continuous assessment model aligns with OSSTMM’s emphasis on operational security measurement rather than point-in-time snapshots. Revaizor quantifies attack surface exposure across tested channels, evaluates the effectiveness of controls by actively testing them rather than reviewing configurations, and provides trend analysis that shows whether security posture is improving or degrading, giving organizations the data-driven security measurement that OSSTMM advocates.