Re: Security Grade

[Francois Larouche <francois.larouche-ml () sqlpowerinjector com>]

Hi Eddie,
> Thanks for the feekback.  
My pleasure and thank you as well for your well formulated answer.
> I agree that this system could lead to
> mis-perception.  But the "stop-light" is merely a tool to begin the
> discussion.
>   
I understand and by itself it is a honest way to forward data but my 
problem is will they really take time to start a discussion if they see 
it's Yellow? I would assume so, but my point is that metrics with grade 
or colors are really relative and subjective to the pen-tester and the 
reader. What does it really mean when you have a 8? or 4 or 3 out of 10? 
What about Green or Yellow? Will that bear the same value or impact to 
the reader/executive manager? Perhaps but my fear is that the main 
message that there is a major problem is not necessary transmitted or 
misunderstood.

I suppose the original question was if there are any official ways to 
rate things but again sometimes they scare me off... As you said the 
executive manager wants something concise and easy to understand and 
what I'm afraid is that when it comes to make priorities they might just 
put aside the Yellow ones.

What I believe is inside an executive summary they should be able to 
read in bullet points manner what a hacker can do and its 
impacts/consequences in a clear manner that even your grand-mother can 
understand. As you mentioned later in the email you don't necessary know 
what is their business strategy or even the business processes. What 
seems unimportant for a pen-tester might be critical for them 
(information disclosure wise).

I used to use color myself with a nice paragraph to explain what they 
mean but it was more for the technical guys, project managers or 
developers. My executive summary had a paragraph to explain how the web 
application fared, what were the problems/vulnerabilities in clear 
bullet points list without any technical words and final a paragraph of 
recommendations and suggestion. That again to my humble opinion worth 
more than any grading that is unfortunately too subjective and do not 
convey any tangible messages.
> Turn this the other way.  If a company has done an exceptional job of
> locking down systems and denies me access, but they have inadvertently
> exposed confidential information (ie. placed client information on a
> webserver in a "secret" directory) then they need to know there is a
> problem.
>   
I agree with you here but without telling what directory it is the 
executive manager ought to know what kind of information is being divulged.
> Going into more of a philosophical approach, I've always believed that
> the true impact of the report is in the narrative, whether that is
> delivered in the report, de-brief, or both.
I agree with you, but sometimes company lacks the time or for bad timing 
reasons won't ever talk to you... Believe me, it happens more than we 
can imagine. So the media between your findings and horrible truth is 
the report. Besides you might meet the executive management in a small 
business but I'm not quite sure that a big company will have time for 
this, sadly no matter how critical it is... But again, they might get a 
hold on the report and if it talks clearly to them then the project 
managers have much easier time to request for time and resources to fix 
the problems.
> As an outside consultant
> each company will have unique business processes that I will never
> know.  If I can paint the picture clearly and in a non-threatening
> way, executive management will usually start sharing with me how much
> this would affect their business processes or client trust.  I also
> highlight the statutory and regulatory implications of lax security.
> Using a clearly defined criteria has the perception of fairness.
>   
In this I'm glad you can do it, nothing is better than a human being 
able to explain their report. And you seem to be a smart guy so I'm sure 
you can convey the real risks.
> I don't think there is one "correct" answer to the original question.
>   
Completely agree with you.
> My method has proven successful for me over the past few years and my
> clients seem happy with my product.  I'm sure that a 1-10 scale would
> be equally effective but, for my personal disposition, I find that
> overly complex.  
Not only complex but really subjective to both parties: writers and readers.

My thanks as well for your answer.

Cheers

Francois

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------