Re: Security Grade



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

If you are looking for a good way to score the results, I recommend
(with bias) the NSA IEM. It is flexible for any organization and can be
used no matter the scope. It is also a great mechanism for scoring
findings from all three areas, Management, Operational, and Technical.

Ed Fuller, CISSP, IEM, IAM
COO/Principal ed@xxxxxxxxxxxxxxxxxxx
Phone: 719-488-4500 http://www.securityhorizon.com
FAX: 719-268-1709 Copyright 2007
Cell: 719-659-8195
Security Horizon, Inc
"Your global information security experts"


JD Lampard wrote:
A points system is what I use... 0 (worst) - 10
(best). Then a overall percentage is given which
helps people put the score into perspective easily.
However, this can also be misleading... let's say test
by test you get 10 except for a couple tests for
router, firewall, and IDS for which you get very bad
scores. Looking at the overall score gives a false
sense of security to the casual reporter reader.

Hope this helps.

--- 11ack3r <11ack3r@xxxxxxxxx> wrote:

Hi,

Is there a security criteria or matrix against which
we could grade
customer's pen test results? Like assigning them
grade between A to E
or 1 to 10.

*.*


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE
today!

http://www.cenzic.com/downloads

------------------------------------------------------------------------




____________________________________________________________________________________
Be a better friend, newshound, and
know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHXencg99bUKUEkroRAvObAJ9II/VtRlNYVCLPT7wKdHUPVCmr8QCg8EuU
JyJlpqGAgl1EksWq23Gq6/I=
=fnF9
-----END PGP SIGNATURE-----

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------



Relevant Pages

  • Re: web service fuzzers
    ... Need to secure your web apps NOW? ... Cenzic finds more, "real" vulnerabilities fast. ... buy it or download a solution FREE today! ...
    (Pen-Test)
  • Re: IPS Testing
    ... Need to secure your web apps NOW? ... Cenzic finds more, "real" vulnerabilities fast. ... buy it or download a solution FREE today! ...
    (Pen-Test)
  • Re: Fast UDP scan
    ... Need to secure your web apps NOW? ... Cenzic finds more, "real" vulnerabilities fast. ... buy it or download a solution FREE today! ...
    (Pen-Test)
  • RE: InfoSec certification EC/BackTrack?
    ... Need to secure your web apps NOW? ... Cenzic finds more, "real" vulnerabilities fast. ... buy it or download a solution FREE today! ...
    (Pen-Test)
  • Re: Gear
    ... Need to secure your web apps NOW? ... Cenzic finds more, "real" vulnerabilities fast. ... buy it or download a solution FREE today! ...
    (Pen-Test)