Re: Security Grade

From: Stephen Strange (steve.bachelor@gmail.com)
Date: Tue Dec 11 2007 - 13:00:17 EST

• Next message: James Bensley: "Cain & Able man in the middle attack"
• Previous message: Javier Reyna Padilla: "Re: Auditing Firewalls"
• In reply to: Eddie Block: "Re: Security Grade"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

If, on the other hand, you'd prefer a more complicated grading matrix,
try the government. I know complicated systems from the government
sounds like a real stretch, but bear with me: there's an alphabet soup
of different systems, and almost all are freely available. Try the NSA
information assurance support environment, the DoD's DITSCAP and
DIACAP processes, the Network Vulnerability Assessment Report, etc.
It's all very complicated, but also unambiguous, precise, and easy to
read.

On Dec 7, 2007, at 11:40 AM, "Eddie Block" <eddie.block@gmail.com>
wrote:

> I used to use a three results (Red, Yellow, Green) system based on
> two criteria:
>
> First: Did I gain administrative control of target system(s).
> Second: Did I retrieve proprietary or confidential information.
>
> If I was unable to achieve either objective, the client received a
> "green" rating.
> If I was able to achieve only one objective, the client received a
> "yellow" rating.
> If I was able to achieve both objectives, the client received a
> "red" rating.
>
> It sounds very simplistic, but using that system made the results
> immediately clear to executive management (who really didn't care
> about the technical issues.) It also makes it very simple to create
> graphs comparing other clients by industry, size, budget, etc. Again,
> this gives the executive summary clarity and impact.
>
> Thanks,
> Eddie
>
> On Dec 6, 2007 5:17 AM, 11ack3r <11ack3r@gmail.com> wrote:
>> Hi,
>>
>> Is there a security criteria or matrix against which we could grade
>> customer's pen test results? Like assigning them grade between A to E
>> or 1 to 10.
>>
>> *.*
>>
>>
>>
>
> ---
> ---------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ---
> ---------------------------------------------------------------------
>

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

• Next message: James Bensley: "Cain & Able man in the middle attack"
• Previous message: Javier Reyna Padilla: "Re: Auditing Firewalls"
• In reply to: Eddie Block: "Re: Security Grade"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:15 EDT