Penetration Testing mailing list archives

Re: Security Grade


From: Pete Herzog <lists () isecom org>
Date: Wed, 12 Dec 2007 13:10:50 +0100

Hi,

Thanks for the feedback.  I agree that this system could lead to
mis-perception.  But the "stop-light" is merely a tool to begin the
discussion.

Have you looked into the RAVs at www.isecom.org/ravs and its extension, the STAR (Security Test Audit Report)? It's a way to give a quantitative report in a manner the management likes: as a grade. The reason why I suggest this is because whenever people dismiss a bad practice as just a means to "start a discussion" that can be a problem in security. We should strive to be as accurate as possible so as to avoid confusion, assume to be able to predict gut reaction, or even try to persuade a course of action before we have all the facts. Whether it's a stop-light, a thermometer, a 10 scale, etc. if it's not factual then it fails to deliver any value. The RAVs will allow you to quantify security in terms of the client and grade them according to their infrastructure. The STAR will detail how the test was run, what was tested, and what was NOT tested so as to be perfectly clear. You can even give a RAV value per system or per service if you want to get that fine-grained. Pure Hacking, a company in Australia, gives a RAV value for web application tests- that's how specific they report. You may want to look into it.

Sincerely,
-pete.
www.isecom.org

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------


Current thread: