Zero Trust part 1

Zero trust is the “new” thing gaining a lot of traction and attention.

The problem is Zero Trust doesn’t do many things. It doesn’t define trust. It doesn’t differentiate between Trust types. Physical trust is not the same as data networking trust and so on.

Lets start at the beginning. To start, “Zero Trust” was first coined by Stephen Paul Marsh in 1994 at the University of Sterling. Here is a link:

The Zero Trust concept is not really new, but 1994 was the first recorded instance of the term being coined that I and a few others could find.

Since I am focused on the OSSTMM I’ll jump forward to that. If you are new to the OSSTMM you can find it at

Several institutions reference or mention the OSSTMM such as PCI, SANS, NIST, and dozens upon dozens of books on Ethical Hacking.

If you are unfamiliar with the OSSTMM (Open Source Security Testing Methodology Manual) i will give as quick of a synopsis as I can but its impossible to cover it in one page or even one blog.

The OSSTMM has often been referred to as a Penetration Testing Methodology which it can be but that is a very limited view. The reason for this is its stance on testing methods and reporting.

  • Full scope testing and confirmation
  • Listing tools used in testing for each step
  • Listing any anomalies that occurred during testing
  • Be detailed enough to be repeatable
  • Document and address limitations in testing
  • Validate all data given by customer

That is a short incomplete list but moving on. In the scope of Zero Trust the OSSTMM has a whole chapter on Trust and it uses this to define trust so there is no option to leave it open to interpretation, which is the current biggest problem with the whole Zero Trust movement.

Put very simply, Trust is a vulnerability. A vulnerability that needs controls in place to limit interactions and boundaries. While the OSSTMM remains vendor agnostic, the current run of “Zero Trust” leaves the definition open to interpretation to each vendor such as “Only our product can give you zero trust” which is a typical marketing ploy of not lying but using the ambiguity to make their claims.

I will take an example of one persons statement in the book “Digital Transformation in Policing: The Promise, Perils and Solutions” Chapter titles “Zero Trust Security Strategies and Guidelines” which says: Zero trust starts by focusing on identifying those assets that need to be protected. Well the OSSTMM has said that since 2001. Its the basis of the original OSSTMM and has remained for 22 years.

Unfortunately, the more technology becomes easier to use the more secure it also becomes at the cost of usability. That may not apply to every single case but it covers many.

In the future I will create some posts and even videos using real world examples of OSSTMM testing and OSSTMM control applications.

Chris Griffin

OSSTMM Certified Trainer for the USA and other regions. ISECOM Board Member. Full time Penetration Tester and OSSTMM evangelist.

Leave a Reply