Security audit - what it is and how it works
Security audit: what it covers, how it unfolds across five phases, and how it differs from a penetration test.
Read
OSSTMM (Open Source Security Testing Methodology Manual) is an open, scientifically grounded methodology for testing operational security that, instead of simply listing vulnerabilities, measures the actual state of protection through a numerical indicator called the RAV. Unlike methodologies that focus only on web applications or the technical steps of an attack, OSSTMM looks at the bigger picture: people, processes, physical access, and wireless and data channels. In this article we explain what OSSTMM actually measures, how it relates to OWASP and PTES, and which organisations in the region it suits best.
Our solution
Penetration testing - we find vulnerabilities before the hackers do. You do not have to handle it alone; we take care of it for your company. Request a free assessment.
What OSSTMM is and where it comes from
OSSTMM has been developed by ISECOM (the Institute for Security and Open Methodologies) since 2001, and it is currently in version 3. The idea behind the methodology is simple, yet rarely fulfilled in practice: security testing must be repeatable, measurable, and independent of the person carrying it out. If two teams test the same system using the same methodology, they should arrive at comparable results. That sounds obvious, but in reality most security reports depend on the experience and intuition of the individual tester.
OSSTMM introduces the concept of operational security. It does not just ask whether a vulnerability exists, but how exposed the attack surface really is in day to day operations and how much that exposure is reduced by controls. This shifts the focus away from theoretical gaps and towards what is actually available to an attacker at the moment of measurement.
The five channels OSSTMM covers
The strength of OSSTMM lies in the fact that it does not reduce security to technology alone. The methodology defines five channels through which security can be compromised:
- Human channel - social engineering, employee awareness, identity verification procedures.
- Physical channel - access to buildings, rooms and equipment, entry control and surveillance.
- Wireless channel - Wi-Fi, Bluetooth, RFID and other radio signals that extend beyond the walls.
- Telecommunications channel - telephony, VoIP, fax and other voice connections.
- Data networks - the classic network and application infrastructure that most people picture first when they think of a pentest.
It is precisely because of this breadth that OSSTMM suits organisations that want a complete assessment rather than just a scan of a web application.
What OSSTMM measures: operational security and the RAV
The central output of an OSSTMM test is not a list of vulnerabilities, but the RAV (Risk Assessment Values), sometimes also referred to as the Security Test Audit Report metric. The RAV is a numerical indicator that expresses the actual state of protection as a percentage. A value of 100 means perfect balance, while a lower value shows that the attack surface is larger than the controls covering it, and a value above 100 indicates that there are redundant or excessive controls that needlessly consume resources.
The RAV is calculated across three groups of elements:
- Operations (Operational Security) - how much is visible and accessible in the first place: visibility, trust and access.
- Controls - protection mechanisms such as authentication, encryption, integrity, resilience and non-repudiation.
- Limitations - the actual weaknesses: vulnerabilities, weaknesses, exposures, anomalies and security flaws.
The practical value of the RAV is that it provides an objective figure that is comparable over time. An organisation can measure its current state, implement fixes and repeat the measurement six months later, then see in black and white whether security has genuinely improved. For management and auditors, that is far easier to understand than a sentence stating that seven critical and twelve high findings were identified.
OSSTMM versus OWASP and PTES
The most common misconception among clients is the belief that they have to choose a single methodology. In practice, OSSTMM, OWASP and PTES complement one another, because they cover different levels and scopes. OWASP is narrowly focused on the security of web and mobile applications and provides excellent, very concrete guides (WSTG, MASTG, Top 10). PTES (Penetration Testing Execution Standard) describes the flow of the engagement itself, from preparation to reporting. OSSTMM is the broadest and most measurable, but also the least prescriptive when it comes to individual technical checks.
| Characteristic | OSSTMM | OWASP | PTES |
|---|---|---|---|
| Main focus | Operational security, all channels | Web and mobile applications | Pentest engagement flow |
| Measurability | High (RAV metric) | Low, descriptive findings | Low, process oriented |
| Covers people and physical access | Yes | No | Partially |
| Concrete technical tests | Partially | Very detailed | Guidance by phase |
| Best for | Complete assessment and benchmarking | Application pentesting | Engagement structure |
In a real project, the sensible approach is a combination. OSSTMM sets the framework and provides a measurable result, PTES structures the phases of work, and OWASP delivers the detailed checks when the application layer is being tested. NeoBit works in exactly this way in its engagements: it uses OSSTMM logic for scope and measurement, and OWASP and other technical standards for the depth of individual checks.
Who OSSTMM suits best
OSSTMM is not for everyone, and it is only fair to say so. If all you need is to check a single web application before going to production, the OWASP approach is faster and cheaper. OSSTMM comes into its own when the subject is the overall security of an organisation.
- Financial institutions and insurers that need repeatable, audit defensible metrics for the regulator.
- Manufacturing and logistics companies where physical access to the plant and wireless networks carry real risk, not just the servers.
- The public sector and healthcare that must demonstrate security progress over time rather than a one off snapshot.
- Larger companies with multiple locations that need a comparable result across subsidiaries and years.
For smaller companies and startups in the region, it is often wiser to start with a targeted application pentest based on OWASP, and over time move to a broader OSSTMM assessment as the organisation grows. The rule here is that the methodology must serve the risk, and not the other way around.
What an OSSTMM engagement looks like in practice
A solid OSSTMM engagement starts with precisely defining the scope, that is, which channels and which parts of the infrastructure are being measured. This is followed by information gathering, mapping exposure and trust, and then verifying controls and identifying limitations. Finally the RAV is calculated and a report is produced that gives management a figure and a clear improvement plan. Without that last step the methodology remains an academic exercise, whereas the whole point is to make the decision about where to invest the next euro or convertible mark.
Conclusion and next step
OSSTMM is valuable because it turns security into a measurable quantity and looks beyond the code, towards people, premises and processes. It is not a replacement for OWASP or PTES, but a framework that ties them together into a whole and gives management an understandable indicator. If you are considering an objective assessment of your organisation's security, NeoBit from Mostar carries out penetration testing and security assessments grounded in OSSTMM logic and recognised technical standards. Get in touch for a free introductory scope assessment and a discussion about which combination of methodologies makes the most sense for your case.
Frequently asked questions
What is OSSTMM in simple terms?
OSSTMM is an open security testing methodology that measures the actual operational state of an organisation's protection and expresses it numerically through the RAV. Unlike a plain list of vulnerabilities, it looks at people, physical access, and wireless and data channels, as well as how much the controls actually cover them.
How does OSSTMM differ from OWASP?
OWASP is focused on the security of web and mobile applications and provides very concrete technical checks, whereas OSSTMM is broader and measures operational security across multiple channels, including people and physical access. In practice you do not choose one or the other; you combine them: OSSTMM for the framework and measurement, OWASP for the depth of application tests.
What is the RAV in OSSTMM?
The RAV (Risk Assessment Values) is a numerical indicator that expresses the balance between exposure and controls. A value around 100 means balanced protection, a lower value means the attack surface is larger than the controls, and a higher value means there are redundant controls. The RAV makes it possible to compare security over time and across locations.
Does OSSTMM suit smaller companies in the region?
For smaller companies it is often more cost effective to start with a targeted application pentest based on OWASP, and to move to a broader OSSTMM assessment as the organisation grows and as physical and human risks become more significant. NeoBit helps determine which scope and which combination of methodologies makes sense for your budget and level of risk.
Related guides: Cyber security in BiH - the complete guide · Security assessment (security audit) - what it is and how it works · Red team, blue team and purple team - the differences
