Just a note; was struck by the OSSTMM approach towards the structure of infrastructure. [Disclaimer] though I am quite a fan of the OSSTMM approach (and do want to write up tons of whitepapers linking it with my ideas for moving forward in the InfoSec field without having to revert to #ditchcyber bla), I feel there’s a snag in it:
The analysis part seems to still take a perimetered, though onion, approach. The Defense in Breath is there, for sure, but still the main (sic) focus is on the primary axis of the access path(s). Does this still work with the clouds out there and all, focused as they are on principalled agnostics on where your data and ‘systems’ might hang out?
OK yes now I will go study the OSSTMM materials in depth to see whether this is just my impression and I’m proven horribly wrong, or …
So i’ll leave you with:
[Hardly a street, next to Yonge]
I’d be happy to put you on the OSSTMM research list where you can ask in-depth things like this or suggest new things 🙂 Drop me an e-mail!
I’d be happy to contribute! Would be with fits and starts, but am interested to advocate OSSTMM as *the* tool for bottom-up InfoSec in stead of the mehhhh of ISO27k1 (although the new version is an improvement, ‘upward’ in the business hierarchy), CObIT et al., that in my opinion are bureacrats’ busywork [disclaimer: I am (was!?) one…]. When at the shop floor, things are done right (e.e., with help of OSSTMM), who needs heaps and stacks of processprocedureworkflowmicromanagers ..?