Re: Security Grade

From: Francois Larouche (francois.larouche-ml@sqlpowerinjector.com)
Date: Wed Dec 12 2007 - 18:30:09 EST

• Next message: IPv7: "Re: Unicornscan - New Version (0.4.7) Released"
• Previous message: Pete Herzog: "Re: Security Grade"
• In reply to: Eddie Block: "Re: Security Grade"
• Next in thread: cwright@bdosyd.com.au: "Re: Re: Security Grade"
• Maybe reply: cwright@bdosyd.com.au: "Re: Re: Security Grade"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Eddie,
> Thanks for the feekback.
My pleasure and thank you as well for your well formulated answer.
> I agree that this system could lead to
> mis-perception. But the "stop-light" is merely a tool to begin the
> discussion.
>
I understand and by itself it is a honest way to forward data but my
problem is will they really take time to start a discussion if they see
it's Yellow? I would assume so, but my point is that metrics with grade
or colors are really relative and subjective to the pen-tester and the
reader. What does it really mean when you have a 8? or 4 or 3 out of 10?
What about Green or Yellow? Will that bear the same value or impact to
the reader/executive manager? Perhaps but my fear is that the main
message that there is a major problem is not necessary transmitted or
misunderstood.

I suppose the original question was if there are any official ways to
rate things but again sometimes they scare me off... As you said the
executive manager wants something concise and easy to understand and
what I'm afraid is that when it comes to make priorities they might just
put aside the Yellow ones.

What I believe is inside an executive summary they should be able to
read in bullet points manner what a hacker can do and its
impacts/consequences in a clear manner that even your grand-mother can
understand. As you mentioned later in the email you don't necessary know
what is their business strategy or even the business processes. What
seems unimportant for a pen-tester might be critical for them
(information disclosure wise).

I used to use color myself with a nice paragraph to explain what they
mean but it was more for the technical guys, project managers or
developers. My executive summary had a paragraph to explain how the web
application fared, what were the problems/vulnerabilities in clear
bullet points list without any technical words and final a paragraph of
recommendations and suggestion. That again to my humble opinion worth
more than any grading that is unfortunately too subjective and do not
convey any tangible messages.
> Turn this the other way. If a company has done an exceptional job of
> locking down systems and denies me access, but they have inadvertently
> exposed confidential information (ie. placed client information on a
> webserver in a "secret" directory) then they need to know there is a
> problem.
>
I agree with you here but without telling what directory it is the
executive manager ought to know what kind of information is being divulged.
> Going into more of a philosophical approach, I've always believed that
> the true impact of the report is in the narrative, whether that is
> delivered in the report, de-brief, or both.
I agree with you, but sometimes company lacks the time or for bad timing
reasons won't ever talk to you... Believe me, it happens more than we
can imagine. So the media between your findings and horrible truth is
the report. Besides you might meet the executive management in a small
business but I'm not quite sure that a big company will have time for
this, sadly no matter how critical it is... But again, they might get a
hold on the report and if it talks clearly to them then the project
managers have much easier time to request for time and resources to fix
the problems.
> As an outside consultant
> each company will have unique business processes that I will never
> know. If I can paint the picture clearly and in a non-threatening
> way, executive management will usually start sharing with me how much
> this would affect their business processes or client trust. I also
> highlight the statutory and regulatory implications of lax security.
> Using a clearly defined criteria has the perception of fairness.
>
In this I'm glad you can do it, nothing is better than a human being
able to explain their report. And you seem to be a smart guy so I'm sure
you can convey the real risks.
> I don't think there is one "correct" answer to the original question.
>
Completely agree with you.
> My method has proven successful for me over the past few years and my
> clients seem happy with my product. I'm sure that a 1-10 scale would
> be equally effective but, for my personal disposition, I find that
> overly complex.
Not only complex but really subjective to both parties: writers and readers.

My thanks as well for your answer.

Cheers

Francois

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

• Next message: IPv7: "Re: Unicornscan - New Version (0.4.7) Released"
• Previous message: Pete Herzog: "Re: Security Grade"
• In reply to: Eddie Block: "Re: Security Grade"
• Next in thread: cwright@bdosyd.com.au: "Re: Re: Security Grade"
• Maybe reply: cwright@bdosyd.com.au: "Re: Re: Security Grade"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:15 EDT