Skip to content

Instantly share code, notes, and snippets.

@jacobian
Last active December 3, 2016 05:10
Show Gist options
  • Save jacobian/7cadce16f18a21780738d63fa1d035d5 to your computer and use it in GitHub Desktop.
Save jacobian/7cadce16f18a21780738d63fa1d035d5 to your computer and use it in GitHub Desktop.
Security Hardness - another idea

This is a draft "security hardness scale", desgigned to somewhat roughly quantify the level of effort of a penetration test -- since simply measuing "how many vulns did you find" is a terrible measurement of success. The goal is the measure the "hardness" of the system under test in a way that's a bit quantitative.

The result is a score from 1-10. The scale is inspired by to the Mohs Hardness Scale in that it's simply an ordinal scale, not an absolute one. That is, the "gap" between 3 and 4 doesn't have to be the same "difficulty increase" as the gap between 5 and 6. It's simply a way of rating that one pentest was "harder" than another. (This is in lieu of being able measuing "hardness" in any truely quantitative way).

Instructions:

  1. Pick the most severe exploit (not vulnerability but actual exploit - exploit being an actual confirmed breach of C/I/A) discovered by the pentest
  2. Answer the questions below. Feel free to award points "in between" areas - for example, if a team of several juniors found the exploit, you could reasonably award a 2-3 there. Or if the severity is truely off the chart, you could go to 11. This is not scientific, go wild.
  3. Hardness = (A + B + C + D + E) / 5

A. How was the vuln/s leading to the exploit found?

Points Scenario
1 trivial poking (";" in a text box)
2 automated scanner (e.g. metasplit) found it directly
5 automated scanner gave hints, but add'l engineering was required to find the real vuln
7 custom but typical work (e.g. custom XSS injection coded)
10 truely novel work

B. How did the discovered vuln/s lead to a real exploit?

Points Scenario
1 a single vuln directly led to the exploit (e.g. a discovered SQLi led to data disclosure)
3 a typical short chain of exploits was required (e.g. RCE led to a user shell, privesc to a root shell)
5 multiple, creative chained vulns led to the exploit
8 an 0day led to the exploit
9 an 0day plus multiple chained vulns
10 multple chained 0days

C. What was the aproximate level of effort (rough person-hours or "scrum points") required to find the exploit?

Points Level of effort
1 x-small / minutes
4 small / hours
7 medium / days
9 large / weeks
10 heinous / months

D. What's the skill level of the person/team required to find the exploit?

Points Skill level
1 junior
4 mid-career
7 senior/lead
10 team of multiple senior/leads

E. What's the severity of the exploit discovered?

Points Severity
1 critical
3 high
5 medium
7 low
10 notice

(Yes this is correct, though it looks backwards. A critical vulnerability found with trivial work indicates a low hardness, while a low vuln found with hard work indicates high hardness)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment