A company willing to perform an IT security audit may find that, if the audit is performed by two different security analysts, the number of weaknesses, evidences, and risk assessment may differ. There are several key aspects for a consistent assessment that should be considered in a penetration test.
Security Risk Analysis can be considered a highly subjective aspect that may result in assessments that may differ beyond reason. This difference in the criticality and asset risk qualification negatively impacts several organizational and project management aspects:
- Defense of a penetration test results in a executive meeting.
- Defense of the results with the Technical Department.
- Prioritization of a technical action plan.
- Justification of investment in periodic security audits.
- Investment in technology and perimetric security elements.
In order to improve this aspects, the Tarlogic Security Team relies on the CVSS methodology, an IT security risk classification methodology that leaves little room for misinterpretation of the risk level classification and that can be used to represent the impact as a graphic or plot.
CVSS makes use of several aspects to measure vulnerability impact. The main aspect is represented by the baseline metrics associated with vulnerability aspects, measuring:
- The complexity of access to the audited system
- The need for authentication to exploit a security flaw
- The impact in information confidentiality
- The impact on integrity
- The impact on system uptime
Contact Tarlogic to perform a Web Security Audit based on the OWASP Methodology and protect your business applications.
Temporary metrics evaluate how this vulnerability impacts the systems based on the existence of functional tools to exploit this vulnerability and the availability of security patches.
The use of CVSSv2 allows you to know precisely the security level of your organization and justify, based on the results, the need for a larger investment in security.