Re: Is there an Open Source Vulnerability Analysis Framework?

[Christian Martorella <laramies2k () yahoo com ar>]

Hi Steve, i think that ISSAF (Information System Security Assessment 
Framework) could suit your needs.

"The ISSAF is OISSG's flagship project. It is an effort to develop an 
end-to-end framework for security assessment. The ISSAF aims to provide a 
single point of reference for professionals involved in security assessment; 
it reflects and addresses the practical issues of security assessment. The 
ISSAF is an evolving framework and it will be further amended and updated."

You can get it here:

http://www.oissg.org

Hope it helps ;)


Regards, 

Christian Martorella

On Saturday 15 July 2006 02:23, Steve Armstrong wrote:
> Please excuse this request, if it sounds noddy. . . .
>
> Having worked in the areas of penetration testing, vulnerability
> analysis, operational security, risk analysis and accreditation (the UK
> Government's process of getting authority to operate for 'classified'
> systems), I have yet to come across an open source vulnerability
> analysis framework.
>
> We have loads of in-house procedures for actually doing the testing and
> documents for pre, during and post testing, but nothing that would allow
> another tester to repeat the same contract and produce the same results
> or report.  More importantly there appears to be nothing in the public
> domain for the customer to read and understand what we were trying to
> achieve and what his role in the process was prior to our engagement.
>
> It sort of comes down to the fact that there is no way of getting two
> testers to give you the same results for testing the same network, and
> while this is good for business in the short term, it does not seem
> useful for the client in the long term.
>
> Thus my question to the lists is:
>
>     Bar the OSSTMM and the Hacking Exposed methodologies, what other
> open source or otherwise testing and test definition frameworks are out
> there?
>
> I am looking really at all aspects of data access via network enabled
> connectivity at the moment, other types of access and risks will come
> later.
>
> The main reason for asking is this that recently, I devised what appears
> to be a comprehensive process that should allow two different testing
> bodies to produce the same test plan and more importantly the same
> results; and while some generally ignore variations in the testers
> skills, this will allow the client to confirm before the testing occurs
> that the tester has the necessary skills.
>
> So before I go through the stages of developing this framework (will be
> open source) further, I though it best to check it has not already been
> done.  I would be grateful for any pointers and urls.
>
> Thx
>
> Steve A
> (nebs)
>
> -------------------------------------------------------------------------
> Sponsored by: Watchfire
>
> Cross-Site Scripting (XSS) is one of the most common application-level
> attacks that hackers use to sneak into web applications today. This
> whitepaper will discuss how traditional CSS attacks are performed, how to
> secure your site against these attacks and check if your site is protected.
> Cross-Site Scripting Explained - Download this whitepaper today!
>
> https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmr
> --------------------------------------------------------------------------

                
_________________________________________________________ 
Horóscopos, Salud y belleza, Chistes, Consejos de amor: 
el contenido más divertido para tu celular está en Yahoo! Móvil. 
Obtenelo en http://movil.yahoo.com.ar

-------------------------------------------------------------------------
Sponsored by: Watchfire

Cross-Site Scripting (XSS) is one of the most common application-level 
attacks that hackers use to sneak into web applications today. This 
whitepaper will discuss how traditional CSS attacks are performed, how to 
secure your site against these attacks and check if your site is protected. 
Cross-Site Scripting Explained - Download this whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmr
--------------------------------------------------------------------------