You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This is a draft "security hardness scale", desgigned to somewhat roughly quantify the level of effort of a penetration test -- since simply measuing "how many vulns did you find" is a terrible measurement of success. The goal is the measure the "hardness" of the system under test in a way that's a bit quantitative.
The result is a score from 1-10. The scale is inspired by to the Mohs Hardness
Scale in that
it's simply an ordinal scale, not an absolute one. That is, the "gap" between 3
and 4 doesn't have to be the same "difficulty increase" as the gap between 5 and
6. It's simply a way of rating that one pentest was "harder" than another. (This
is in lieu of being able measuing "hardness" in any truely quantitative way).
Instructions:
Pick the most severe exploit (not vulnerability but actual exploit - exploit being an actual confirmed breach of C/I/A) discovered by the pentest
Answer the questions below. Feel free to award points "in between" areas - for example, if a team of several juniors found the exploit, you could reasonably award a 2-3 there. Or if the severity is truely off the chart, you could go to 11. This is not scientific, go wild.
Hardness = (A + B + C + D + E) / 5
A. How was the vuln/s leading to the exploit found?
Points
Scenario
1
trivial poking (";" in a text box)
2
automated scanner (e.g. metasplit) found it directly
5
automated scanner gave hints, but add'l engineering was required to find the real vuln
7
custom but typical work (e.g. custom XSS injection coded)
10
truely novel work
B. How did the discovered vuln/s lead to a real exploit?
Points
Scenario
1
a single vuln directly led to the exploit (e.g. a discovered SQLi led to data disclosure)
3
a typical short chain of exploits was required (e.g. RCE led to a user shell, privesc to a root shell)
5
multiple, creative chained vulns led to the exploit
8
an 0day led to the exploit
9
an 0day plus multiple chained vulns
10
multple chained 0days
C. What was the aproximate level of effort (rough person-hours or "scrum points") required to find the exploit?
Points
Level of effort
1
x-small / minutes
4
small / hours
7
medium / days
9
large / weeks
10
heinous / months
D. What's the skill level of the person/team required to find the exploit?
Points
Skill level
1
junior
4
mid-career
7
senior/lead
10
team of multiple senior/leads
E. What's the severity of the exploit discovered?
Points
Severity
1
critical
3
high
5
medium
7
low
10
notice
(Yes this is correct, though it looks backwards. A critical vulnerability found with trivial work indicates a low hardness, while a low vuln found with hard work indicates high hardness)
