From: Malhoit, Lauren (Lauren.Malhoit@tylertech.com)
Date: Fri Dec 07 2007 - 12:49:11 EST
I think it's all pretty relative. Microsoft recommends doing either a
qualitative risk analysis or quantitative (or both). In one case you
assign the odds of the risk of a specific attack a number (1-10) and
assign the severity of the risk a number (ie will it cause business to
shut down or something). Then you multiply those two numbers and it
gives you a risk assessment. In the other case, you actually take the
odds of how many times a year a risk might happen
-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of 11ack3r
Sent: Thursday, December 06, 2007 6:18 AM
To: pen-test@securityfocus.com
Subject: Security Grade
Hi,
Is there a security criteria or matrix against which we could grade
customer's pen test results? Like assigning them grade between A to E
or 1 to 10.
*.*
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:14 EDT