RE: Vuln scoring system anyone?

["Kevin Greene" <kgreene () truenorthsolutions net>]

Ron, you brought up a good point regarding the respective "ASSET"...  Regardless of how vendors classify a 
vulnerability using a scale or matrix; organization must still do their due diligence in evaluating the vulnerability 
to determine the overall exposure the vulnerability represents.  The organization must also identify and classify 
critical business assets and determine the overall impact and risk (as it relates to confidentiality, integrity and 
availability) to the business if a vulnerability is exercised on a critical business assets.  In my opinion, this 
evaluation will ultimately determine the true severity of a vulnerability.  

 

A process should be in place to determine the 1-2% of vulnerabilities that really matter (sorting through thousands of 
vulnerabilities).  

 

And don’t forget vulnerability prevalence – especially if there is no clearly defined remediation process in place.  

 

KevEG

        -----Original Message----- 
        From: Ron Gula [mailto:rgula () tenablesecurity com] 
        Sent: Sat 2/26/2005 8:10 PM 
        To: dailydave () lists immunitysec com 
        Cc: 
        Subject: Re: [Dailydave] Vuln scoring system anyone?
        
        

        At 06:23 PM 2/25/2005, Tom Parker wrote:
        
        >So what are peoples thoughts on:
        >
        >http://www.newscientist.com/article.ns?id=dn7040
        >
        >It strikes me that although it may be a good idea to try and rate a
        >vulnerability based on its severity,
        >using metrics which measure factors such as ease of exploitation, initial
        >levels of access required etc,
        >rating the "urgency" of an issue (which sounds like remediation
        >prioritization to me), solely on the
        >severity seems like a mistake. People are going to use these ratings to
        >prioritize remediation, and yet
        >their metrics seem to say nothing about the respective asset. Perhaps I've
        >missed the point of the system
        >here; this is a topic I gas about all of the time, so I wont bore you -
        >I'm just curious to hear what people
        >think.
        >
        >Peace,
        >
        >-Tom
        
        I love the progression in this industry ;)
        
        On one hand, I see people who are offended by the typical
        red/yellow/green types of vulnerability labels. On the other
        hand, there are so many new people to security, I run into
        a lot of people who can't discriminate between cross site
        scripting and overflows in there core deamons.
        
        I'm all for labels and forms of classification if they
        make sense, but more and more, when folks whack their
        top 10 or top 20 list of vulnerabilities, there are hundreds
        more left over which get bumped up to a new set of top 10
        or 20 ....
        
        Ron Gula
        
        
        
        
        
        
        
        
        
        
        
        
        
        
        
        
        
        
        _______________________________________________
        Dailydave mailing list
        Dailydave () lists immunitysec com
        https://lists.immunitysec.com/mailman/listinfo/dailydave
        

IMPORTANT: The information contained in this electronic message and/or its
attachments is intended only for the use of the individual(s) named above and
may contain information that is privileged and/or confidential. If you are not
the intended recipient, please notify the sender immediately by reply and
immediately delete this message and all its attachments without making any
copies or distributions thereof. Any review, use, reproduction, disclosure or
dissemination of this message or any attachment by an unintended recipient is
strictly prohibited and may violate copyrights and/or other laws. Neither the 
sender, his or her employer nor any of their respective affiliates makes any 
warranties as to the completeness or accuracy of any of the information 
contained herein or that this message or any of its attachments is free of
viruses.

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave