Penetration Testing mailing list archives

Re: Security Grade

From: Ed Fuller <ed () securityhorizon com>
Date: Mon, 10 Dec 2007 18:37:32 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

If you are looking for a good way to score the results, I recommend
(with bias) the NSA IEM. It is flexible for any organization and can be
used no matter the scope.  It is also a great mechanism for scoring
findings from all three areas, Management, Operational, and Technical.

                        Ed Fuller, CISSP, IEM, IAM
COO/Principal                                  ed () securityhorizon com
Phone: 719-488-4500                    http://www.securityhorizon.com
FAX: 719-268-1709                                      Copyright 2007
Cell: 719-659-8195
                           Security Horizon, Inc
                "Your global information security experts"


JD Lampard wrote:

A points system is what I use... 0 (worst) - 10
(best).  Then a overall percentage is given which
helps people put the score into perspective easily. 
However, this can also be misleading... let's say test
by test you get 10 except for a couple tests for
router, firewall, and IDS for which you get very bad
scores.  Looking at the overall score gives a false
sense of security to the casual reporter reader.

Hope this helps.

--- 11ack3r <11ack3r () gmail com> wrote:

Hi,

Is there a security criteria or matrix against which
we could grade
customer's pen test results? Like assigning them
grade between A to E
or 1 to 10.

*.*

------------------------------------------------------------------------

This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE
today!

http://www.cenzic.com/downloads

------------------------------------------------------------------------




      ____________________________________________________________________________________
Be a better friend, newshound, and 
know-it-all with Yahoo! Mobile.  Try it now.  http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ 


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHXencg99bUKUEkroRAvObAJ9II/VtRlNYVCLPT7wKdHUPVCmr8QCg8EuU
JyJlpqGAgl1EksWq23Gq6/I=
=fnF9
-----END PGP SIGNATURE-----

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

Current thread:

Security Grade 11ack3r (Dec 06)
- Re: Security Grade JD Lampard (Dec 10)
  - Re: Security Grade Ed Fuller (Dec 12)
- Re: Security Grade dave-san (Dec 10)
- RE: Security Grade Malhoit, Lauren (Dec 10)
- Re: Security Grade Benjamin Tomhave (Dec 10)
- Re: Security Grade Eddie Block (Dec 10)
  - Re: Security Grade Francois Larouche (Dec 12)
    - Re: Security Grade Eddie Block (Dec 12)
    - Re: Security Grade Francois Larouche (Dec 13)
    - Re: Security Grade Pete Herzog (Dec 13)
  - Re: Security Grade Stephen Strange (Dec 12)
- <Possible follow-ups>
- Re: Security Grade lauren . malhoit (Dec 10)

(Thread continues...)