TABLE OF CONTENTS Security providers around the world have been trying for years to engineer an effective means for conducting technical evaluations that is meaningful to the customer. For too long, we've seen fly-by-night consulting companies walk into a customer organization, run a security vulnerability scanner, print out the default application report (after replacing the logo), and present that to the customer as the final deliverable. Although the initial paper factor of this type of work might be impressive to the uneducated customer, once they start digging into the actual contents of the report and trying to understand how it applies to their organization, they normally discover that this level of service is lacking.
Until recently, the use of a repeatable, structured, and flexible methodology to provide these services was on a per-company basis. Customers could never really be sure what to expect when they asked for a security evaluation. Would it be a penetration test? A...
