Penetration Testing mailing list archives
Re: Security Grade
From: Stephen Strange <steve.bachelor () gmail com>
Date: Tue, 11 Dec 2007 13:00:17 -0500
If, on the other hand, you'd prefer a more complicated grading matrix, try the government. I know complicated systems from the government sounds like a real stretch, but bear with me: there's an alphabet soup of different systems, and almost all are freely available. Try the NSA information assurance support environment, the DoD's DITSCAP and DIACAP processes, the Network Vulnerability Assessment Report, etc. It's all very complicated, but also unambiguous, precise, and easy to read.
On Dec 7, 2007, at 11:40 AM, "Eddie Block" <eddie.block () gmail com> wrote:
I used to use a three results (Red, Yellow, Green) system based on two criteria:First: Did I gain administrative control of target system(s). Second: Did I retrieve proprietary or confidential information. If I was unable to achieve either objective, the client received a "green" rating. If I was able to achieve only one objective, the client received a "yellow" rating.If I was able to achieve both objectives, the client received a "red" rating.It sounds very simplistic, but using that system made the results immediately clear to executive management (who really didn't care about the technical issues.) It also makes it very simple to create graphs comparing other clients by industry, size, budget, etc. Again, this gives the executive summary clarity and impact. Thanks, Eddie On Dec 6, 2007 5:17 AM, 11ack3r <11ack3r () gmail com> wrote:Hi, Is there a security criteria or matrix against which we could grade customer's pen test results? Like assigning them grade between A to E or 1 to 10. *.*--- ---------------------------------------------------------------------This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads--- ---------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- Re: Security Grade, (continued)
- Re: Security Grade JD Lampard (Dec 10)
- Re: Security Grade Ed Fuller (Dec 12)
- Re: Security Grade dave-san (Dec 10)
- RE: Security Grade Malhoit, Lauren (Dec 10)
- Re: Security Grade Benjamin Tomhave (Dec 10)
- Re: Security Grade Eddie Block (Dec 10)
- Re: Security Grade Francois Larouche (Dec 12)
- Re: Security Grade Eddie Block (Dec 12)
- Re: Security Grade Francois Larouche (Dec 13)
- Re: Security Grade Pete Herzog (Dec 13)
- Re: Security Grade Francois Larouche (Dec 12)
- Re: Security Grade Stephen Strange (Dec 12)
- Re: Security Grade JD Lampard (Dec 10)
- Re: Security Grade lauren . malhoit (Dec 10)
- Re: Re: Security Grade cwright (Dec 12)