Dailydave mailing list archives
Re: Vuln scoring system anyone?
From: robert () dyadsecurity com
Date: Sat, 26 Feb 2005 00:13:30 -0800
security curmudgeon(jericho () attrition org)@Fri, Feb 25, 2005 at 11:03:29PM -0500:
In general, my gut reaction is "why the hype?" I've done extensive thinking about the scoring system, discussed and debated it with a ton of people, meditated on it and sacrificed a chicken so far. What does this scoring really do that high/medium/low doesn't? Does a 1 to 10 style system add value? 1 to 100? At what point does it get too obscure or too granulated to be helpful? The fact that these vendors are leading the initiative scares me. These are the same ones that intentionally or ignorantly labeled remote code execution bugs on default services as medium when they should have been high. Can we trust them to accurately label these vulns?
Some policies stress integrity, others confidentiality, etc. A high in one environment would be a low in the other. That kind of language is too rigid. I've never understood many of the standard metrics. I know why we want metrics, but they tend to be too subjective to be useful. As an alternative, I've been using the Risk Assessment Value (RAV) system from OSSTMM (ISECOM) as much as I can. Although the math is still being worked on for the overall calculations, I've always liked the category language of the findings. None of the H/M/L, R/Y/G stuff. When you pop that shell, you have a "Verified Vulnerability", when you see evidence of an old windows based apache server behind a CSS that you can't get packets directly to, you have an "Identified Vulnerability", etc. I would rather know the classification of a problem (identified|verified, vulnerability, weakness, information leak, etc) and figure out the impact to the environment myself. Dealing with measured facts helps us cut through the whole "hmm .. so you're telling me I have red things on my network .. that's bad right?". Robert -- Robert E. Lee CTO, Dyad Security, Inc. W - http://www.dyadsecurity.com E - robert () dyadsecurity com M - (949) 394-2033 _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Official Immunity Defcon Clothing! Holden Williamson (Feb 25)
- Re: Official Immunity Defcon Clothing! Dave Aitel (Feb 25)
- Re: Official Immunity Defcon Clothing! Holden Williamson (Feb 25)
- Vuln scoring system anyone? Tom Parker (Feb 25)
- Re: Vuln scoring system anyone? security curmudgeon (Feb 25)
- Re: Vuln scoring system anyone? Dragos Ruiu (Feb 25)
- Re: Vuln scoring system anyone? robert (Feb 26)
- Re: Vuln scoring system anyone? Florian Weimer (Feb 26)
- Re: Vuln scoring system anyone? Ron Gula (Feb 26)
- Re: Official Immunity Defcon Clothing! Holden Williamson (Feb 25)
- Re: Official Immunity Defcon Clothing! Dave Aitel (Feb 25)