Penetration Testing mailing list archives
Is there an Open Source Vulnerability Analysis Framework?
From: "Steve Armstrong" <stevearmstrong () logicallysecure com>
Date: Sat, 15 Jul 2006 01:23:03 +0100
Please excuse this request, if it sounds noddy. . . . Having worked in the areas of penetration testing, vulnerability analysis, operational security, risk analysis and accreditation (the UK Government's process of getting authority to operate for 'classified' systems), I have yet to come across an open source vulnerability analysis framework. We have loads of in-house procedures for actually doing the testing and documents for pre, during and post testing, but nothing that would allow another tester to repeat the same contract and produce the same results or report. More importantly there appears to be nothing in the public domain for the customer to read and understand what we were trying to achieve and what his role in the process was prior to our engagement. It sort of comes down to the fact that there is no way of getting two testers to give you the same results for testing the same network, and while this is good for business in the short term, it does not seem useful for the client in the long term. Thus my question to the lists is: Bar the OSSTMM and the Hacking Exposed methodologies, what other open source or otherwise testing and test definition frameworks are out there? I am looking really at all aspects of data access via network enabled connectivity at the moment, other types of access and risks will come later. The main reason for asking is this that recently, I devised what appears to be a comprehensive process that should allow two different testing bodies to produce the same test plan and more importantly the same results; and while some generally ignore variations in the testers skills, this will allow the client to confirm before the testing occurs that the tester has the necessary skills. So before I go through the stages of developing this framework (will be open source) further, I though it best to check it has not already been done. I would be grateful for any pointers and urls. Thx Steve A (nebs) ------------------------------------------------------------------------------ This List Sponsored by: Cenzic Concerned about Web Application Security? Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request () cenzic com for details. ------------------------------------------------------------------------------
Current thread:
- Is there an Open Source Vulnerability Analysis Framework? Steve Armstrong (Jul 14)
- Re: Is there an Open Source Vulnerability Analysis Framework? killy (Jul 16)
- Re: Is there an Open Source Vulnerability Analysis Framework? Christian Martorella (Jul 17)
- Re: Is there an Open Source Vulnerability Analysis Framework? frank.boldewin (Jul 17)
- Re: Is there an Open Source Vulnerability Analysis Framework? Gareth Davies (Jul 17)