Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            Understand my pentest score

            Modified on Mon, 28 Aug, 2023 at 11:50 AM 


            Through this article, you will learn how the audit score works and how to improve it.

            SUMMARY

            Understanding How My Audit Score Works

            Score presentation

            The audit score is based on CCWAPSS (Common Criteria Web Application Security Scoring), a security evaluation methodology dedicated to web application penetration testing.

            • It's based on the following formula
            Score = 10 - ∑ Risks

            Thus, the audit score starts at 10 and decreases as vulnerabilities with a non-zero impact are identified.

            • The maximum score (10/10) signifies "compliant with best practices".


            Understanding the risk factor

            To determine the risk factor of a vulnerability, the auditor must answer the following questions:

            • Is the exploitability of this vulnerability trivial or sophisticated?
            • Is the impact on my activity low or significant?


            Concrete Application on the Portal

            For each identified vulnerability, recommendations are provided for correction.

            These recommendations have varying impacts on the audit score (which can sometimes be zero but are still interesting to implement).


            For example:

            • An auditor found the following vulnerability: "2020-Q1 - One of the fields in the Newsletter application is not validated and allows execution of arbitrary SQL commands to access data in the database" to which they associated the recommendation "Use parameterized queries to prevent the interpretation of arbitrary SQL commands."
            • This recommendation has an impact of 3.
            • Thus, this leads to a reduction of 3 points in the score until the recommendation is addressed.

            Improving My Audit Score

            Impact of Recommendations

            Any recommendation with a non-zero impact will result in a reduction of the audit score.


            When any of these recommendations are marked as Resolved or Not Applicable, the score automatically increases (visible in the History tab of the relevant audit).

            The "Certified by XMCO" badge

            The score is certified upon result publication (end of the initial audit) and at the end of the counter-audit, with the "Certified by XMCO" badge.



            When there is no badge displayed on the score, it means that the recommenations have been updated, and therefore, XMCO is no longer responsible for the displayed score.

Typically, you must wait for the counter-audit for a new certification.

            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select at least one of the reasons
            CAPTCHA verification is required.

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0