GSR-IconBannerAd_v1d

Security Advisories

Trustwave Press Releases

« How Antivirus Saved the Day…Sort of. | Main | Backward Compatibility Plays to Malware’s Hands »

29 August 2012

Comments

Great tips Nathan - you might want to change the Define the Data to Define the Scope and include some information regarding threat modelling, it doesn't do the client any good to provide a 2-day pentest to provide assurance regarding a threat actor that will spend 2 months of effort trying to get the data. The same goes for including/excluding social and physical assessment steps.

The scope and underlying threat model should be defined not based on the data, but probabilistic threats (actors, and techniques) to that data. I find it helps to separate those client asking for the test for compliance vs real assurance.

Regards.

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment