Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Security Grade

From: "Eddie Block" <eddie.block () gmail com>
Date: Fri, 7 Dec 2007 10:40:50 -0600
I used to use a three results (Red, Yellow, Green) system based on two criteria:

First:  Did I gain administrative control of target system(s).
Second: Did I retrieve proprietary or confidential information.

 If I was unable to achieve either objective, the client received a
"green" rating.
If I was able to achieve only one objective, the client received a
"yellow" rating.
If I was able to achieve both objectives, the client received a "red" rating.

It sounds very simplistic, but using that system made the results
immediately clear to executive management (who really didn't care
about the technical issues.)  It also makes it very simple to create
graphs comparing other clients by industry, size, budget, etc.  Again,
this gives the executive summary clarity and impact.

Thanks,
Eddie

On Dec 6, 2007 5:17 AM, 11ack3r <11ack3r () gmail com> wrote:

Hi,

Is there a security criteria or matrix against which we could grade
customer's pen test results? Like assigning them grade between A to E
or 1 to 10.

*.*





------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: