| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri May 5 16:41:31 2006 From: foofus at foofus.net (foofus@...fus.net) Subject: Patterns and Security Measurement On Fri, May 05, 2006 at 05:30:50PM +0200, Nguyen Pham wrote: > Actually, I am trying to measure security (and then security assurance) > level of a complex telecommunication network. I am looking for a > method/approach/product using sets of predefined, standard entities > (station, server, firewall, router, ...) and relations (forming > "patterns" like pipe, cluster, bus, gateway, ..., architectures) which > have already been measured to simplify the process of system security > measurement. An aggregation algorithm is then needed to arrive at an > overall system security value. I've done some work along these lines, involving just servers and workstations. My materials from ToorCon might contain some items of interest for you: http://www.toorcon.org/2005/slides/foofus-howbigisthatfootinthedoor.pdf > Any recommendation of academic or industrial solutions would be welcome. In my bibliography, you'll see a reference to "Archipelago," which is a more general project. Their work is academic in nature, but I think their software is freely downloadable. > Other suggestions for solving the problem (security measurement of > complex network) are also greatly appreciated. See also NIST special publication 800-26; its a set of guidelines for evaluating security maturity. Non-technical in nature, but it provides a scale that can be nicely applied to more or less any specific security objective. --Foofus.
Powered by blists - more mailing lists