Version 2 of the Open Source Security Testing Methodology Manual (OSSTMM) was posted on the Web this week by the Ideahamster Organization, a loose confederation of security professionals.

Created by Pete Herzog, "director of ideas" at Ideahamster, the OSSTMM is an open-standard methodology for security testing. While Herzog conceived of the idea, the document now contains ideas from more than 150 contributors, 33 of them regular contributors to the project.

The OSSTMM has been dowloaded more than 500,000 times, Herzog says. "From those downloads, I have had many positive comments and constructive criticisms. This manual, through peer review and much support, has become the most thorough and complete security testing document to be found," he writes in the forward to OSSTMM V2.0.

The idea behind the project was to create a standard for what constitutes a good security test. "Following an open-source, standardized methodology that anyone and everyone can open and dissect and add to and complain about is the most valuable contribution we can make to Internet security," he writes.

Major changes in version 2 include the integration of security metrics and benchmarks to allow users to evaluate security products and measure security risks in a given time period. The new version also covers physical security testing, social engineering, wireless and communications testing.

Ideahamster publishes a complementary document, "The Jack of All Trades Security Testing Training Supplement," to assist users in developing security testing skills.

Both documents are available here at no charge.