Re: Betr.: Grading System
robert_at_dyadsecurity.com
Date: 11/23/04
- Previous message: Jason.Burzenski_at_americanhm.com: "AS400 Hardening Guidelines"
- In reply to: Philip Wagenaar: "Betr.: Grading System"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 23 Nov 2004 11:08:42 -0800 To: Philip Wagenaar <p.wagenaar@accon.nl>
> >>> "Paul Ryan" <pryan@rogers.wave.ca> 22-11-04 21:29 >>>
> Just looking for more input here - as part of an assessment is there a
> industry accepted grading system ?
Risk Assessment Values (RAVs) as described in the Open Source Security Testing Methodology Manual (OSSTMM - http://www.osstmm.org) provides a way to clearly describe the types of problems that were found. It lets the analyst distinguish between identified (the application is the right version to be vulnerable) v.s. verified (we introduced this stimulus, got this response confirming that the the application is absolutely vulnerable).
The 3.0 (soon to be released) version of the OSSTMM is a significant improvement over the 2.1 RAV framework ... but there is still value to reading up on the 2.1 language.
I have found the RAV system to be a significant improvement over the "High/Medium/Low" industry standard language.
Robert
-- Robert E. Lee CTO, Dyad Security, Inc. W - http://www.dyadsecurity.com E - robert@dyadsecurity.com M - (949) 394-2033
- Previous message: Jason.Burzenski_at_americanhm.com: "AS400 Hardening Guidelines"
- In reply to: Philip Wagenaar: "Betr.: Grading System"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
