Link to home
Start Free TrialLog in
Avatar of sunhux
sunhux

asked on

questions on penetration testing: ratings & # days to resolve

Some questions were raised on our practice of penetration testing:

a) what are the various basis the ratings of Critical, High, Med, Low
    are being assigned?  External-facing servers' XSS will get High
    while internal servers (not exposed to public/Internet) XSS will
    get Med?   There's also various types of XSS that warrants
    different types of ratings?
    Curious how the various tools assign these ratings or in some
    cases, it's the human pentester who assigns it?

b) Is there any framework, eg: NIST, CREST or ...  that specifies
     the duration to resolve?
ASKER CERTIFIED SOLUTION
Avatar of masnrock
masnrock
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of sunhux
sunhux

ASKER

>If you were talking about CVSS scores,
Can point me to any authoritative links for CVSS scorings
that recommend the # days for remediations?
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial