Dailydave mailing list archives
Re: Vuln scoring system anyone?
From: Adam Shostack <adam () homeport org>
Date: Sun, 27 Feb 2005 16:25:20 -0500
On Sat, Feb 26, 2005 at 09:54:54PM -0500, security curmudgeon wrote: | | : > In general, my gut reaction is "why the hype?" I've done extensive | : .... | : > scoring really do that high/medium/low doesn't? Does a 1 to 10 style | : > system add value? 1 to 100? At what point does it get too obscure or too | : > granulated to be helpful? | : ... | : > The fact that these vendors are leading the initiative scares me. These | : > are the same ones that intentionally or ignorantly labeled remote code | : | : It is *only* the fact that major vendors are leading this that makes it | : valuable. While I'm skeptical of any rating system's applicability to my | : own circumstances, I *would* appreciate having vendor releases come out | : on the same scale - even if that scale is meaningless outside of it's | : own context. *I* might know the difference, but having people call me | : up asking why company A calls X a "High", but company B calls it a | : "Medium" can be a huge headache. | | Err, ok, then why support this? It will cause the same headache. | | You say if all the vendors agree an issue is 'High Risk', less headache. | However, if those vendors agree an issue is 'Medium Risk', and security | folks at CVE or OSVDB or Secunia or SecurityTracker or ISS or | SecurityFocus or [..] say "No, this is High Risk", you have the same | problem. Customers will see two ratings, questions ensue. | | Consider that while many people will get information from these vendors | first, many others will not. They get their information from vulnerability | alert services (Secunia, SecurityTracker, etc). That is the first | information they see, and their rating is often the determination for how | an organization reacts immediately. When an organization starts trying to sort and prioritize vulns in a mature way, they need to look at the risk of attack, the comparative risks of various defensive strategies, and the value of the system being defended at various times. (Bank teller systems are worth more during business hours, ATMs are worth more Friday night, etc.) The CVS standard will help people with one of the three data points they need. _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: Vuln scoring system anyone? security curmudgeon (Feb 26)
- Re: Vuln scoring system anyone? Adam Shostack (Feb 28)
- <Possible follow-ups>
- RE: Vuln scoring system anyone? Kevin Greene (Feb 26)
- Vuln scoring system anyone? Brian Erdelyi (Feb 28)
- Vuln scoring system anyone? Brian Erdelyi (Feb 28)
- Re: Vuln scoring system anyone? Dave Aitel (Feb 28)
- Re: Vuln scoring system anyone? Brian Erdelyi (Mar 01)
- Re: Vuln scoring system anyone? Dave Aitel (Mar 01)
- Re: Vuln scoring system anyone? Brian Erdelyi (Mar 01)
- Re: Vuln scoring system anyone? Dave Aitel (Mar 01)
- Re: Vuln scoring system anyone? Brian Erdelyi (Mar 01)
- Re: Vuln scoring system anyone? security curmudgeon (Mar 01)
- Re: Vuln scoring system anyone? Dave Aitel (Feb 28)