apiperCIS
commented
5 years ago Internal note (does not need to be included in spec): While we could take this proposal in the direction of ensuring that each result or scan has a corresponding pen test, I didn't think that was the way to go. Not all vuln scans would necessarily translate into a viable test. Please let me know if you disagree.
Inputs 1) Penetration Testing Program document
Operations 1) Manually review the Penetration Testing Program document (Input 1) to verify that it instructs the organization to use vulnerability scan results to inform penetration testing efforts. The presence or absence of this instruction becomes M1.
Measures M1: boolean value indicating if the Penetration Testing Program document includes instructions for using vulnerability scan results to inform penetration testing efforts
Metrics Presence or absence of instructions to use vulnerability scan results to inform penetration testing efforts: M1
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability scanning assessments should be used as a starting point to guide and focus penetration testing efforts.
Measures
Metrics