Re: Betr.: Grading System

[robert () dyadsecurity com]

> > > > "Paul Ryan" <pryan () rogers wave ca> 22-11-04 21:29 >>>
>  Just looking for more input here - as part of an assessment is there a
> industry accepted grading system ?

Risk Assessment Values (RAVs) as described in the Open Source Security Testing Methodology Manual (OSSTMM - 
http://www.osstmm.org) provides a way to clearly describe the types of problems that were found.  It lets the analyst 
distinguish between identified (the application is the right version to be vulnerable) v.s. verified (we introduced 
this stimulus, got this response confirming that the the application is absolutely vulnerable).

The 3.0 (soon to be released) version of the OSSTMM is a significant improvement over the 2.1 RAV framework ... but 
there is still value to reading up on the 2.1 language.

I have found the RAV system to be a significant improvement over the "High/Medium/Low" industry standard language.

Robert

-- 
Robert E. Lee
CTO, Dyad Security, Inc.
W - http://www.dyadsecurity.com
E - robert () dyadsecurity com
M - (949) 394-2033