Penetration Testing mailing list archives
Re: Risk metrics
From: Pete Herzog <lists () isecom org>
Date: Sat, 05 Nov 2005 21:59:48 +0100
Marc,
has anybody else have a look on the RAV metric for OSSTMM 3.0 ? I just did - and in my opinion its horrifying. anything which is more complicated then multiplaying more than 3 numbers is too complicated to use in a report to a client.
You actually need only provide 1 number to the client -- the RAV. If you want to break it down into each part, then yes, it's 4 numbers which might start getting a little heavy for your clients.
it is already difficult enough to explain them what their problems are - this calculation sheet is a killer for any consultant.
I think you just need to learn it first. It's actually pretty simple to fill out the form and once you read through an example you'll figure it so as well. I know it has helped early-adopter consultants better explain gaps in security or wasted money on overly redundant security measures to their clients. Sincerely, -pete. ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- RE: Risk metrics Marc Heuse (Nov 01)
- RE: Risk metrics tcp fin (Nov 03)
- <Possible follow-ups>
- RE: Risk metrics Michael Gargiullo (Nov 03)
- Re: Risk metrics Pete Herzog (Nov 04)
- RE: Risk metrics Marc Heuse (Nov 05)
- Re: Risk metrics Pete Herzog (Nov 05)
- Re: Risk metrics v b (Nov 05)
- Re: Risk metrics Pete Herzog (Nov 04)
- Re: RE: Risk metrics inet_inaddr (Nov 05)