From: Pete Herzog (lists@isecom.org)
Date: Wed Dec 12 2007 - 07:10:50 EST
Hi,
> Thanks for the feedback. I agree that this system could lead to
> mis-perception. But the "stop-light" is merely a tool to begin the
> discussion.
Have you looked into the RAVs at www.isecom.org/ravs and its extension, the
STAR (Security Test Audit Report)? It's a way to give a quantitative
report in a manner the management likes: as a grade. The reason why I
suggest this is because whenever people dismiss a bad practice as just a
means to "start a discussion" that can be a problem in security. We
should strive to be as accurate as possible so as to avoid confusion,
assume to be able to predict gut reaction, or even try to persuade a course
of action before we have all the facts. Whether it's a stop-light, a
thermometer, a 10 scale, etc. if it's not factual then it fails to deliver
any value. The RAVs will allow you to quantify security in terms of the
client and grade them according to their infrastructure. The STAR will
detail how the test was run, what was tested, and what was NOT tested so as
to be perfectly clear. You can even give a RAV value per system or per
service if you want to get that fine-grained. Pure Hacking, a company in
Australia, gives a RAV value for web application tests- that's how specific
they report. You may want to look into it.
Sincerely,
-pete.
www.isecom.org
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:15 EDT