Penetration Testing
Question of Likelihood May 14 2012 03:21AM
Pen Testar (pentestar ymail com) (2 replies)
Re: Question of Likelihood May 16 2012 06:56PM
Pete Herzog (lists isecom org)
Hi,

Have you looked into the OSSTMM ravs- attack surface classification
and metrics? It would help you categorize the order in the way you
want here- by what they do and not some guessed weighting or priority
system. Basically it would let you prioritize by 5 vulnerability
classifications and that way if something provides access in any way
it's classified as a higher priority than something that just gives an
exposure.

Sincerely,
-pete.

--
Pete Herzog - Managing Director - pete (at) isecom (dot) org [email concealed]
ISECOM - Institute for Security and Open Methodologies
www.isecom.org - www.osstmm.org
www.hackerhighschool.org - www.badpeopleproject.org

On 5/14/2012 5:21 AM, Pen Testar wrote:
> I'm testing an app with sensitive information that is full of holes. Reflected and persisted XSS, CRSF, various injection attacksâ?¦ you name it.
>
>
> You also have a bunch of vulns that arenâ??t typically of high likelihood, but in the presence of the other vulns above (Iâ??ll call them the â??enablingâ? vulns), some of these lows are easier to exploit. When you rank, do you rank each vuln independently or in context of others?
>
>
> I can see arguments either way:
> 1.      One opinion may say rank independently as long as the enabling vulns are marked high. That way if the project team canâ??t fixâ??em all, then they can focus on the enabling ones and that'll naturally bring the others down to low. You also donâ??t want to hand them a report with too many highs as not appear like an alarmist and lose credibility.
> 2.      The other opinion may say rank it high because this is the truth in view of the current posture of the application.
>
> Whatâ??s the common practice out there?
>
> Thanks
> Pentestar Â
>
> ------------------------------------------------------------------------

> This list is sponsored by: Information Assurance Certification Review Board
>
> Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
>
> http://www.iacertification.org
> ------------------------------------------------------------------------

>
>
>
>

------------------------------------------------------------------------

This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

[ reply ]
Re: Question of Likelihood May 14 2012 07:56PM
Justin Rogosky (jrogosky gmail com)


 

Privacy Statement
Copyright 2010, SecurityFocus