Security Auditing Report Conventions and Standards

From: Sandeep Giri (sandeepgiriat_private)
Date: Tue Jan 28 2003 - 23:00:07 PST

  • Next message: Michael Howard: "RE: safe strcpy()?"

    
     ('binary' encoding is not supported, stored as-is)
    Hi!
    Is there any standard format for reporting and analysing the security 
    problems an application?
    Or it depends on the application type?
    I have published the security auditing report in the following format:
    ---------------------------------------------------------
    Filename/bugs   Existance/exploit possibility   Severity/impact of bug
    File1
    User Authentication            1                            2
    ...
    ..
    ..
    ..
    ------------------------------------------------------------
    Conventions:
    Existence/Exploit possibility:
    0 – Doesn’t Exist
    1 – Exist but impossible to exploit
    2 – Exists but difficult to exploit
    3 – Exploitable
    
    Severity/Impact of bug:
    0 – No Harm
    1 – May allow one user to read/write other user’s resource
    2 – May Allow one user to read/write/execute system’s privileged resource.
    
    
    
    is that okay?
    
    Thanks.
    Best regards,
    Sandeep Giri
    



    This archive was generated by hypermail 2b30 : Wed Jan 29 2003 - 13:06:28 PST