Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Is there an Open Source Vulnerability Analysis Framework?

from [Steve Armstrong] Network Security [Permanent Link]
Subject: Is there an Open Source Vulnerability Analysis Framework?
Date: Sat, 15 Jul 2006 01:23:03 +0100 
Please excuse this request, if it sounds noddy. . . . 
 
Having worked in the areas of penetration testing, vulnerability
analysis, operational security, risk analysis and accreditation (the UK
Government's process of getting authority to operate for 'classified'
systems), I have yet to come across an open source vulnerability
analysis framework.
 
We have loads of in-house procedures for actually doing the testing and
documents for pre, during and post testing, but nothing that would allow
another tester to repeat the same contract and produce the same results
or report.  More importantly there appears to be nothing in the public
domain for the customer to read and understand what we were trying to
achieve and what his role in the process was prior to our engagement.
 
It sort of comes down to the fact that there is no way of getting two
testers to give you the same results for testing the same network, and
while this is good for business in the short term, it does not seem
useful for the client in the long term.
 
Thus my question to the lists is: 
 
    Bar the OSSTMM and the Hacking Exposed methodologies, what other
open source or otherwise testing and test definition frameworks are out
there?  
 
I am looking really at all aspects of data access via network enabled
connectivity at the moment, other types of access and risks will come
later.
 
The main reason for asking is this that recently, I devised what appears
to be a comprehensive process that should allow two different testing
bodies to produce the same test plan and more importantly the same
results; and while some generally ignore variations in the testers
skills, this will allow the client to confirm before the testing occurs
that the tester has the necessary skills.  
 
So before I go through the stages of developing this framework (will be
open source) further, I though it best to check it has not already been
done.  I would be grateful for any pointers and urls.
 
Thx 
 
Steve A
(nebs)

-------------------------------------------------------------------------
Sponsored by: Watchfire

Cross-Site Scripting (XSS) is one of the most common application-level 
attacks that hackers use to sneak into web applications today. This 
whitepaper will discuss how traditional CSS attacks are performed, how to 
secure your site against these attacks and check if your site is protected. 
Cross-Site Scripting Explained - Download this whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmr
--------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: How to perform SSL certificate validation ?, Nagareshwar Talekar
Next by Date:  Re: How to perform SSL certificate validation ?, paseidon76
Previous by Thread:  Preliminary CFP:The 2nd International Conference on Availability, Reliability and Security (ARES 07), Vienna, Austria, April 10-13, 2007, Manh Tho
Next by Thread:  Re: Is there an Open Source Vulnerability Analysis Framework?, killy
Indexes:  [Date] [Thread] [Top] [All Lists]