| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 07 Jul 2014 02:04:01 -0700 From: Keira Cran <keiracran@....cc> To: Pete Herzog <lists@...com.org>, fulldisclosure@...lists.org Subject: Re: [FD] new pen-test tool! Nice idea. Has there been any test to see if the scores are actually meaningful? Perhaps, running this question test on an org and then doing a normal pentest to see if there is some correlation between (at least) the severity of the results? On Thu, Jul 3, 2014, at 04:44 AM, Pete Herzog wrote: > Hi! > > I have been working on a means for testing parties that we may not be > able to legally directly test yet gives a clear answer for decision > making. The idea was to use an interview like a pen-test to get > information from the subject like a tester would where "asking them" > was considered just one of the 4 means of getting information, treated > much like throwing packets to get system responses does in a pen test. > > This allows you to get an idea of an attack surface of the target > before you even probe them for an attack. You can also find the weak > areas of trust to exploit. It also serves as an intro to a client's > security on the first meeting and enhances the final report. > > The app has 2 parts - a trust metric and an attack surface metric (how > much you can trust them and how protected they are). Eventually this > will also combine into a final analysis. But until then... > > You can try it out here: > > http://archon.thewatchers.net/ISECOM/ > > > > ************* > For those who want some more background about it: > > The hardest part was to craft reasonable questions to answer in a > short list that didn't require much time or technical expertise. So it > is written for the office manager or similar to execute. It also meant > the questions had to be really loaded so as to answer multiple things > at once, both pro and con security/trust. I am still not satisfied > with the wording of the questions and I'm sure it may still have bugs > but we turned it from a document into a web app that allowed basic > clicking to get the answer. > > Now the client had this to save in a file to revisit for annual vendor > reviews as well as for quarterly self-assessment of how they stand in > their own services and offerings. This app doesn't have that > functionality yet. They also wanted clear instructions on how to > improve the score if it was low (rudimentary analysis/resolution) > which this app also doesn't have yet. > > So the Vendor Checklist uses the RAV scoring from OSSTMM 3 derived > from answers made in the checklist. The Trust Metric is a score based > on trust metrics from the same place. But both have had the OSSTMM 4 > updates which include 2 new trust properties and changes in the > calculation of operational controls. > > http://archon.thewatchers.net/ISECOM/ > > Sincerely, > -pete. > > -- > Pete Herzog - Managing Director - pete@...com.org > ISECOM - Institute for Security and Open Methodologies > www.isecom.org - www.osstmm.org > www.hackerhighschool.org - www.badpeopleproject.org > -- > Pete Herzog - Managing Director - pete@...com.org > ISECOM - Institute for Security and Open Methodologies > www.isecom.org - www.osstmm.org > www.hackerhighschool.org - www.badpeopleproject.org > > _______________________________________________ > Sent through the Full Disclosure mailing list > http://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists