Penetration Testing mailing list archives
Re: Security Grade
From: Ed Fuller <ed () securityhorizon com>
Date: Mon, 10 Dec 2007 18:37:32 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 If you are looking for a good way to score the results, I recommend (with bias) the NSA IEM. It is flexible for any organization and can be used no matter the scope. It is also a great mechanism for scoring findings from all three areas, Management, Operational, and Technical. Ed Fuller, CISSP, IEM, IAM COO/Principal ed () securityhorizon com Phone: 719-488-4500 http://www.securityhorizon.com FAX: 719-268-1709 Copyright 2007 Cell: 719-659-8195 Security Horizon, Inc "Your global information security experts" JD Lampard wrote:
A points system is what I use... 0 (worst) - 10 (best). Then a overall percentage is given which helps people put the score into perspective easily. However, this can also be misleading... let's say test by test you get 10 except for a couple tests for router, firewall, and IDS for which you get very bad scores. Looking at the overall score gives a false sense of security to the casual reporter reader. Hope this helps. --- 11ack3r <11ack3r () gmail com> wrote:Hi, Is there a security criteria or matrix against which we could grade customer's pen test results? Like assigning them grade between A to E or 1 to 10. *.*------------------------------------------------------------------------This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads------------------------------------------------------------------------____________________________________________________________________________________ Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHXencg99bUKUEkroRAvObAJ9II/VtRlNYVCLPT7wKdHUPVCmr8QCg8EuU JyJlpqGAgl1EksWq23Gq6/I= =fnF9 -----END PGP SIGNATURE----- ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- Security Grade 11ack3r (Dec 06)
- Re: Security Grade JD Lampard (Dec 10)
- Re: Security Grade Ed Fuller (Dec 12)
- Re: Security Grade dave-san (Dec 10)
- RE: Security Grade Malhoit, Lauren (Dec 10)
- Re: Security Grade Benjamin Tomhave (Dec 10)
- Re: Security Grade Eddie Block (Dec 10)
- Re: Security Grade Francois Larouche (Dec 12)
- Re: Security Grade Eddie Block (Dec 12)
- Re: Security Grade Francois Larouche (Dec 13)
- Re: Security Grade Pete Herzog (Dec 13)
- Re: Security Grade Francois Larouche (Dec 12)
- Re: Security Grade Stephen Strange (Dec 12)
- Re: Security Grade JD Lampard (Dec 10)
- <Possible follow-ups>
- Re: Security Grade lauren . malhoit (Dec 10)