OSSTMM Professional Security Analyst
1. What does OSSTMM stand for?
a) Open Source Security Testing Methodology Manual
b) Open Security Standards and Testing Management
c) Operational Security Systems Testing Method
d) Open Source System Testing Manual
Answer: a) Open Source Security Testing Methodology Manual
Explanation: OSSTMM stands for Open Source Security Testing Methodology Manual. It is
a comprehensive guide for security testing and analysis.
2. What is the primary purpose of the OSSTMM?
a) To provide guidelines for software development
b) To offer a methodology for security testing and analysis
c) To establish compliance regulations
d) To design network architectures
Answer: b) To offer a methodology for security testing and analysis
Explanation: OSSTMM is designed to provide a structured methodology for performing
security testing and analysis, ensuring comprehensive and consistent assessments.
3. Which of the following is a core principle of OSSTMM?
a) Profit maximization
b) Comprehensive measurement
c) Minimal documentation
d) Reactive security
Answer: b) Comprehensive measurement
Explanation: OSSTMM emphasizes comprehensive measurement in security testing,
ensuring that all relevant aspects are quantitatively assessed.
4. OSSTMM is considered which type of methodology?
a) Proprietary
b) Open Source
c) Commercial
d) Confidential
Answer: b) Open Source
Explanation: OSSTMM is an open-source methodology, meaning it is publicly available and
can be freely used and modified.
1
, OSSTMM Professional Security Analyst
5. Who is the primary author of OSSTMM?
a) Bruce Schneier
b) James Stanger
c) Michael Howard
d) Alan Turing
Answer: b) James Stanger
Explanation: James Stanger is the primary author of OSSTMM, having developed it to
provide a standardized approach to security testing.
6. Which document structure does OSSTMM follow?
a) Agile documentation
b) Structured manual with defined sections
c) Unstructured notes
d) Executive summaries only
Answer: b) Structured manual with defined sections
Explanation: OSSTMM follows a structured manual format with clearly defined sections,
making it easier for practitioners to navigate and apply its methodology.
7. How does OSSTMM differ from other security frameworks like ISO
27001?
a) It focuses on compliance only
b) It provides a methodology for testing rather than establishing a management system
c) It is less comprehensive
d) It is not related to security
Answer: b) It provides a methodology for testing rather than establishing a management
system
Explanation: Unlike ISO 27001, which focuses on establishing a security management
system, OSSTMM provides a detailed methodology specifically for performing security
testing and analysis.
8. What is OSSTMM's approach to risk management?
a) It ignores risk management
b) It integrates risk assessment into the testing methodology
c) It relies solely on external frameworks for risk
d) It treats risk as a separate process
2
, OSSTMM Professional Security Analyst
Answer: b) It integrates risk assessment into the testing methodology
Explanation: OSSTMM integrates risk assessment within its security testing methodology,
ensuring that identified vulnerabilities are evaluated in the context of potential risks.
9. In OSSTMM, what is the term used for the structured process of
identifying security controls?
a) Control Discovery
b) Security Enumeration
c) Control Analysis
d) Control Identification
Answer: c) Control Analysis
Explanation: Control Analysis in OSSTMM refers to the process of systematically
identifying and evaluating security controls within the scope of the security test.
10. What type of metrics does OSSTMM utilize?
a) Qualitative metrics only
b) Quantitative metrics only
c) Both qualitative and quantitative metrics
d) No metrics
Answer: c) Both qualitative and quantitative metrics
Explanation: OSSTMM uses both qualitative and quantitative metrics to provide a
comprehensive assessment of security controls and vulnerabilities.
11. Which of the following is NOT a domain covered by OSSTMM?
a) Information Security
b) Physical Security
c) Environmental Security
d) Financial Auditing
Answer: d) Financial Auditing
Explanation: OSSTMM covers domains like Information Security, Physical Security, and
Environmental Security, but Financial Auditing is not a primary focus.
12. What is the Security Test Matrix in OSSTMM?
a) A tool for organizing security policies
b) A framework for defining security controls
3
, OSSTMM Professional Security Analyst
c) A matrix used to plan and execute security tests across different domains
d) A chart for risk levels
Answer: c) A matrix used to plan and execute security tests across different domains
Explanation: The Security Test Matrix in OSSTMM is used to systematically plan and
execute security tests across various domains to ensure comprehensive coverage.
13. Which phase is the first in the OSSTMM security testing process?
a) Reporting
b) Information Gathering
c) Scoping
d) Remediation
Answer: c) Scoping
Explanation: The first phase in the OSSTMM security testing process is Scoping, where the
scope of the security assessment is defined.
14. How does OSSTMM address legal and ethical considerations in security
testing?
a) It provides no guidance on legal and ethical issues
b) It includes guidelines to ensure compliance with legal and ethical standards
c) It mandates the use of third-party lawyers
d) It defers to other frameworks for legal guidance
Answer: b) It includes guidelines to ensure compliance with legal and ethical standards
Explanation: OSSTMM includes guidelines to help practitioners ensure that their security
testing complies with legal and ethical standards.
15. What is the primary focus of the OSSTMM certification?
a) Proficiency in network administration
b) Expertise in the OSSTMM methodology
c) General IT security knowledge
d) Software development skills
Answer: b) Expertise in the OSSTMM methodology
Explanation: The OSSTMM certification focuses on validating an individual's expertise and
understanding of the OSSTMM security testing methodology.
16. What historical aspect contributed to the development of OSSTMM?
4
1. What does OSSTMM stand for?
a) Open Source Security Testing Methodology Manual
b) Open Security Standards and Testing Management
c) Operational Security Systems Testing Method
d) Open Source System Testing Manual
Answer: a) Open Source Security Testing Methodology Manual
Explanation: OSSTMM stands for Open Source Security Testing Methodology Manual. It is
a comprehensive guide for security testing and analysis.
2. What is the primary purpose of the OSSTMM?
a) To provide guidelines for software development
b) To offer a methodology for security testing and analysis
c) To establish compliance regulations
d) To design network architectures
Answer: b) To offer a methodology for security testing and analysis
Explanation: OSSTMM is designed to provide a structured methodology for performing
security testing and analysis, ensuring comprehensive and consistent assessments.
3. Which of the following is a core principle of OSSTMM?
a) Profit maximization
b) Comprehensive measurement
c) Minimal documentation
d) Reactive security
Answer: b) Comprehensive measurement
Explanation: OSSTMM emphasizes comprehensive measurement in security testing,
ensuring that all relevant aspects are quantitatively assessed.
4. OSSTMM is considered which type of methodology?
a) Proprietary
b) Open Source
c) Commercial
d) Confidential
Answer: b) Open Source
Explanation: OSSTMM is an open-source methodology, meaning it is publicly available and
can be freely used and modified.
1
, OSSTMM Professional Security Analyst
5. Who is the primary author of OSSTMM?
a) Bruce Schneier
b) James Stanger
c) Michael Howard
d) Alan Turing
Answer: b) James Stanger
Explanation: James Stanger is the primary author of OSSTMM, having developed it to
provide a standardized approach to security testing.
6. Which document structure does OSSTMM follow?
a) Agile documentation
b) Structured manual with defined sections
c) Unstructured notes
d) Executive summaries only
Answer: b) Structured manual with defined sections
Explanation: OSSTMM follows a structured manual format with clearly defined sections,
making it easier for practitioners to navigate and apply its methodology.
7. How does OSSTMM differ from other security frameworks like ISO
27001?
a) It focuses on compliance only
b) It provides a methodology for testing rather than establishing a management system
c) It is less comprehensive
d) It is not related to security
Answer: b) It provides a methodology for testing rather than establishing a management
system
Explanation: Unlike ISO 27001, which focuses on establishing a security management
system, OSSTMM provides a detailed methodology specifically for performing security
testing and analysis.
8. What is OSSTMM's approach to risk management?
a) It ignores risk management
b) It integrates risk assessment into the testing methodology
c) It relies solely on external frameworks for risk
d) It treats risk as a separate process
2
, OSSTMM Professional Security Analyst
Answer: b) It integrates risk assessment into the testing methodology
Explanation: OSSTMM integrates risk assessment within its security testing methodology,
ensuring that identified vulnerabilities are evaluated in the context of potential risks.
9. In OSSTMM, what is the term used for the structured process of
identifying security controls?
a) Control Discovery
b) Security Enumeration
c) Control Analysis
d) Control Identification
Answer: c) Control Analysis
Explanation: Control Analysis in OSSTMM refers to the process of systematically
identifying and evaluating security controls within the scope of the security test.
10. What type of metrics does OSSTMM utilize?
a) Qualitative metrics only
b) Quantitative metrics only
c) Both qualitative and quantitative metrics
d) No metrics
Answer: c) Both qualitative and quantitative metrics
Explanation: OSSTMM uses both qualitative and quantitative metrics to provide a
comprehensive assessment of security controls and vulnerabilities.
11. Which of the following is NOT a domain covered by OSSTMM?
a) Information Security
b) Physical Security
c) Environmental Security
d) Financial Auditing
Answer: d) Financial Auditing
Explanation: OSSTMM covers domains like Information Security, Physical Security, and
Environmental Security, but Financial Auditing is not a primary focus.
12. What is the Security Test Matrix in OSSTMM?
a) A tool for organizing security policies
b) A framework for defining security controls
3
, OSSTMM Professional Security Analyst
c) A matrix used to plan and execute security tests across different domains
d) A chart for risk levels
Answer: c) A matrix used to plan and execute security tests across different domains
Explanation: The Security Test Matrix in OSSTMM is used to systematically plan and
execute security tests across various domains to ensure comprehensive coverage.
13. Which phase is the first in the OSSTMM security testing process?
a) Reporting
b) Information Gathering
c) Scoping
d) Remediation
Answer: c) Scoping
Explanation: The first phase in the OSSTMM security testing process is Scoping, where the
scope of the security assessment is defined.
14. How does OSSTMM address legal and ethical considerations in security
testing?
a) It provides no guidance on legal and ethical issues
b) It includes guidelines to ensure compliance with legal and ethical standards
c) It mandates the use of third-party lawyers
d) It defers to other frameworks for legal guidance
Answer: b) It includes guidelines to ensure compliance with legal and ethical standards
Explanation: OSSTMM includes guidelines to help practitioners ensure that their security
testing complies with legal and ethical standards.
15. What is the primary focus of the OSSTMM certification?
a) Proficiency in network administration
b) Expertise in the OSSTMM methodology
c) General IT security knowledge
d) Software development skills
Answer: b) Expertise in the OSSTMM methodology
Explanation: The OSSTMM certification focuses on validating an individual's expertise and
understanding of the OSSTMM security testing methodology.
16. What historical aspect contributed to the development of OSSTMM?
4
