Dailydave mailing list archives
RE: Vuln scoring system anyone?
From: "Ben Nagy" <ben () iagu net>
Date: Thu, 3 Mar 2005 09:53:55 +0100
Hi, n00b post etc.
-----Original Message----- From: dailydave-bounces () lists immunitysec com [mailto:dailydave-bounces () lists immunitysec com] On Behalf Of Tom Parker
[...]
Well, the basis of most of the theory which CVSS rates vuln severity on seems fairly sound
I guess it's better than nothing.
however I stand by my original point, that there is no mention anywhere, that the perceived asset value needs to be factored in at some point. When you start thinking about vulnerability risk
Every sensible vendor [1] is going to do this. All this CVSS stuff is intended to do is score vulnerability Severity - don't mix that up with Risk with a big 'r'. The tools from the vendors will then combine this severity with the asset value, and ideally also something to represent the relative threat (asset behind firewall safer than asset with ass hanging out on 'net). Risk will then be derived as R=VulnSeverity*Threat*AssetValue, or some more complicated version of the same thing, and you can go nuts from there in building big spreadsheets of meaningless numbers. You're right that it is not up to vendors to tell users what their own business risk is, but it is up to us to give users tools with which they can produce those kinds of indications (either qualitative or quantitative with $$signs) much more easily than today. Standardising severity is just one step in that direction. [allgoodstuff snipped]
Another thing - if a vendor finds out about an 0day in their product are they going to issue an initial alert, rating the issue as high due to its high impact, lack of fix and the possible presence of a POC in the wild, and then re-rate it once they have fixed it, or just not tell people about it until it's been fixed? If a vendor releases an advisory for an issue that they have fixed, but no POC exists for in the public domain, will they update their advisory when a POC enters the 'public' domain.
OK, this kind of leads me to the big issue I have with this CVSS - what is to stop three different vendors from having different opinions on the CIA impact? What about when once vendor doesn't believe that a POC works, so they don't update their score? My concern is that this is being touted as "standardised scoring" when, really, it's not. It's a standardised methodology, which is (IMHO) much less valuable. Now, if all the software vendors and vulnerability folks could all agree and make the CVSS part of a constantly updated field in the CVE, or maybe OSVDB or something then that would start to get my attention. But who's going to make that final determination?
Don't get me wrong, I think the severity rating is a step in the right direction - but software vendors are in no place to be preaching to folks about remediation urgency/priority/what to eat for lunch.
I don't think any vendor will try that. All the vendors are about is producing tools that will give you good answers if you input the right information about your systems. However, there is a big GIGO risk - but that's not our fault. ;) All IMHO, does not reflect opinion of my employer, may be flat out wrong. Cheers, ben [1] I work for eEye. _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: Vuln scoring system anyone?, (continued)
- Re: Vuln scoring system anyone? Brian (Mar 01)
- Re: Vuln scoring system anyone? security curmudgeon (Mar 01)
- Re: Vuln scoring system anyone? Blue Boar (Mar 01)
- Re: Vuln scoring system anyone? security curmudgeon (Mar 01)
- Re: Vuln scoring system anyone? Brian (Mar 01)
- Re: Vuln scoring system anyone? security curmudgeon (Mar 01)
- Re: Vuln scoring system anyone? Oliv (Mar 02)
- Re: Vuln scoring system anyone? Tom Parker (Mar 02)
- Re: Vuln scoring system anyone? Jason (Mar 02)
- Re: Vuln scoring system anyone? Kurt Seifried (Mar 02)
- RE: Vuln scoring system anyone? Ben Nagy (Mar 03)
- Re: Vuln scoring system anyone? security curmudgeon (Mar 01)
- Re: Vuln scoring system anyone? Frank Knobbe (Mar 01)
- Re: Vuln scoring system anyone? Blue Boar (Mar 01)
- Re: Vuln scoring system anyone? security curmudgeon (Mar 01)