Dailydave mailing list archives
RE: Vuln scoring system anyone?
From: "Kevin Greene" <kgreene () truenorthsolutions net>
Date: Sat, 26 Feb 2005 23:20:19 -0500
Ron, you brought up a good point regarding the respective "ASSET"... Regardless of how vendors classify a vulnerability using a scale or matrix; organization must still do their due diligence in evaluating the vulnerability to determine the overall exposure the vulnerability represents. The organization must also identify and classify critical business assets and determine the overall impact and risk (as it relates to confidentiality, integrity and availability) to the business if a vulnerability is exercised on a critical business assets. In my opinion, this evaluation will ultimately determine the true severity of a vulnerability. A process should be in place to determine the 1-2% of vulnerabilities that really matter (sorting through thousands of vulnerabilities). And don’t forget vulnerability prevalence – especially if there is no clearly defined remediation process in place. KevEG -----Original Message----- From: Ron Gula [mailto:rgula () tenablesecurity com] Sent: Sat 2/26/2005 8:10 PM To: dailydave () lists immunitysec com Cc: Subject: Re: [Dailydave] Vuln scoring system anyone? At 06:23 PM 2/25/2005, Tom Parker wrote: >So what are peoples thoughts on: > >http://www.newscientist.com/article.ns?id=dn7040 > >It strikes me that although it may be a good idea to try and rate a >vulnerability based on its severity, >using metrics which measure factors such as ease of exploitation, initial >levels of access required etc, >rating the "urgency" of an issue (which sounds like remediation >prioritization to me), solely on the >severity seems like a mistake. People are going to use these ratings to >prioritize remediation, and yet >their metrics seem to say nothing about the respective asset. Perhaps I've >missed the point of the system >here; this is a topic I gas about all of the time, so I wont bore you - >I'm just curious to hear what people >think. > >Peace, > >-Tom I love the progression in this industry ;) On one hand, I see people who are offended by the typical red/yellow/green types of vulnerability labels. On the other hand, there are so many new people to security, I run into a lot of people who can't discriminate between cross site scripting and overflows in there core deamons. I'm all for labels and forms of classification if they make sense, but more and more, when folks whack their top 10 or top 20 list of vulnerabilities, there are hundreds more left over which get bumped up to a new set of top 10 or 20 .... Ron Gula _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave IMPORTANT: The information contained in this electronic message and/or its attachments is intended only for the use of the individual(s) named above and may contain information that is privileged and/or confidential. If you are not the intended recipient, please notify the sender immediately by reply and immediately delete this message and all its attachments without making any copies or distributions thereof. Any review, use, reproduction, disclosure or dissemination of this message or any attachment by an unintended recipient is strictly prohibited and may violate copyrights and/or other laws. Neither the sender, his or her employer nor any of their respective affiliates makes any warranties as to the completeness or accuracy of any of the information contained herein or that this message or any of its attachments is free of viruses.
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: Vuln scoring system anyone? security curmudgeon (Feb 26)
- Re: Vuln scoring system anyone? Adam Shostack (Feb 28)
- <Possible follow-ups>
- RE: Vuln scoring system anyone? Kevin Greene (Feb 26)
- Vuln scoring system anyone? Brian Erdelyi (Feb 28)
- Vuln scoring system anyone? Brian Erdelyi (Feb 28)
- Re: Vuln scoring system anyone? Dave Aitel (Feb 28)
- Re: Vuln scoring system anyone? Brian Erdelyi (Mar 01)
- Re: Vuln scoring system anyone? Dave Aitel (Mar 01)
- Re: Vuln scoring system anyone? Brian Erdelyi (Mar 01)
- Re: Vuln scoring system anyone? Dave Aitel (Mar 01)
- Re: Vuln scoring system anyone? Brian Erdelyi (Mar 01)
- Re: Vuln scoring system anyone? security curmudgeon (Mar 01)
- Re: Vuln scoring system anyone? Brian (Mar 01)
- Re: Vuln scoring system anyone? Dave Aitel (Feb 28)