Product Information
|
Name: | OCTAVE |
|---|---|---|
| Website: | http://www.cert.org/octave/ | |
| Category: | Methodology | |
| Date: | 15-Mar-07 |
(This is part of a regular series where I discuss free information security products, tools, methodologies, hardware, etc. For a description of this column and to read other Free Lunch menus, check out the category archive)
No, I'm not talking about the musical term or the GNU language for solving numerical computations. Operationally Critical Threat, Asset, and Vulnerability Evaluation is a self-directed assessment methodology for security risk management. Isn't that a mouth-full? I can hear someone yelling Bingo! right now based on all the key jargon words that sentence contained.
First developed back around 2003, the work to develop OCTAVE was sponsored by the DOD and took place at Carnegie Mellon University. As best as I can tell we owe this body of work to Christopher Alberts, Audree Dorofee, James Stevens and Carol Woody.
What's special about OCTAVE is that its entirely self-directed and is not technology dependent. The method assumes that those persons internal to the organization are much better apt to perform a risk assessment than a third party. Today we still see many organizations outsourcing their risk assessments, but compared to 2003 today's numbers are much less. OCTAVE is intended to focus on strategy and process and less on technical tools. Where other evaluations focus on technology, OCTAVE focuses on security practices.
This is starting to sound all too familiar. Today it's a common theme to focus on best practices and common configurations than how do vendor x, y or z score my webservers. This might be why not too many people know of or use OCTAVE. Those who read about the approach took important lessons back to the office. They used the key learnings to implement their own self-directed methodologies and metrics. Unfortunately, very few technical risk management vendors partnered with these methodologies. OCTAVE never really had a large following or a developing community. Nonetheless it's fair to say that its core components are still very important and live on today.
This leads me to the difficulty of placing a score on OCTAVE. As usual I try to apply a rating in terms of Features, Ease of Use, Documentation and Community. OCTAVE is funny tool in that it just doesn't fit well into these categories, but giving it a low rating would be an injustice. I've learned a lot about risk assessments from OCTAVE and I encourage others to read and learn.
OCTAVE is a registered trademark and use of the documents are each subject to their own restrictions. None of the restrictions should avoid you from using the tools provided, but saying its open source like that of the GPL would be misleading.
Enjoy the Free Lunch.
Comments (1)
Yes, but it is a meeting-intensive, heavy weight sort of thing.
Posted by Yes, but | March 15, 2007 9:21 PM
Posted on March 15, 2007 21:21