Dailydave mailing list archives
Re: CVSS is the worst compression algorithm ever
From: Adrian Sanabria <adrian.sanabria () gmail com>
Date: Fri, 11 Jan 2019 00:23:24 -0500
Everywhere I've ever pentested, we've used a low/medium/high or low/medium/high/critical scale - this is my first encounter with DREAD. What you describe though - clients attempting to negotiate down the severity of vulns on the report - was common regardless of the scoring system used. I don't see DREAD being unique in that respect. Reflecting, it's probably what pushed me towards the binary system I ended up using. No score - just exploitable or not. Then, if it's someone that just refuses to have a critical finding on their report, they'll argue over the likelihood of it being exploited. Or over whether the finding was in scope. Then I consider firing that client. I try to explain - when you're hiring a pentester, you're paying for their opinion as they perform a point-in-time assessment. The client is free to debate the findings and they don't have to agree with the consultant, but the client can't change/rewrite the report without destroying the integrity of the report. --Adrian On Thu, Jan 10, 2019 at 5:21 PM Adam Shostack <adam () shostack org> wrote:
Okay, I'll respond generally about DREAD. The issue comes up when people say "We'll treat a DREAD rating of >= 8 as critical." Then someone looks at your discoverability of 7, and says "hmm, if this were a 6, then DREAD would be 7.9...can we change it?" Lacking any guidance on the difference, it's hard to say no. Really, it's often "You're being unreasonable by making discoverability a 7 here. It's not that high!" Adam On Thu, Jan 10, 2019 at 04:38:30PM -0500, Adrian Sanabria wrote:I probably shouldn't have brought it up - I'm not involved much on the pentesting side. I know we've discussed replacing it, but finding littleoutthere to replace it with. In my own work, I find most of my pentesting results come down to abinaryvalue (hackable, not hackable) and some sense of likelihood of it getting exploited by a malicious party. Highs/mediums/lows all seem pointlesswhenemulating the attacker perspective. Looking at DREAD, I honestly can't say I find anything fatally wrongwith it.Perhaps it's because I've never known pentesting to be terriblyconsistentacross tests or consultants in my career, so the bar is set pretty lowin mymind? --Adrian On Thu, Jan 10, 2019 at 2:12 PM Adam Shostack <adam () shostack org> wrote: On Wed, Jan 09, 2019 at 08:18:48AM -0500, Adrian Sanabria wrote: > Our pentesters use DREAD, which I think most people have moved onfrom,but at > least the scoring is clear and consistent. I'm sorry, but I need to rant a little. A decade back, I wrote a "DREAD is DEAD, please stop" blog post for Microsoft. If you are getting consistent scoring out of DREAD, you are not using DREAD (as described in Writing Secure Code 1, which I think is the first public description). You are using some derivitive that adds tools to provide for that consistency. Those tools may be as simple as a set of examples of each of the constiuents and what constitutes a 7 or a 3. I care about this because I one of the biggest things that I see making threat modeling hard is everyone calls their specific collection of techniques 'lightweight threat modeling' or 'agile threat modeling' and people trying to learn get confused because there's 6 contradictory descriptions that have been labeled "agile tm". People writing down process so their engineers can do it consistently get confused in the same way they'd get confused if we all said "oh yeah. we're writing code, and you can assign variables with either = or <=". We name our languages, we version them. Weneedto start doing the same for threat modeling constructs. If you say "We're using DREADNOP 1.0" that's cool. Alternately,maybeyou're using DREAD 1.0 in its raw form, in which case, how are you getting consistent scores? Adam > In addition to CVE being wrong on critical details, I've foundthat mostof > ExploitDB isn't exploits. Many are vulnerability checks and almostallare > incorrectly entered. PrivEsc will be labeled RCE and RCE will belabeledDoS. > It's all a mess. If I had the resources to burn it all down andstartfrom > scratch, I'd do it. > > --Adrian > > On Tue, Jan 8, 2019, 17:47 Nathaniel Ferguson <jferguson () 126 comwrote:> > > They use a ton of big words in the paper to call CVSS outand giveit a > shellacking. Like most of you, we have extensive use of CVSSin our> consulting practice and I've seen this stuff first hand. CVSSis ofcourse > just a buggy compression algorithm for taking complexqualitativedata and > then putting it on a number line. > > > Over the years I've worked at a few different consultanciesand atleast > originally basically no one used any sort of standardizedmetric, the> reports were generally humorous from a technical standpoint asthenumbers > were basically just made up and didn't adhere to even basic statistics > methodologies-- we take the X and multiple it by Y and add theZ and> there's your score! Some even plotted them along cartoonlookinggraphs and > plots and my suspicion was that they were really included togivedepth to > the reports and break up the monotony of text on text on text.Oddly,I've > never even worked at a place that described the methodology as outlined in > their reports to their employees leaving some question as tohow a> methodology was to be implemented if only the client everheard aboutit. > > In that sense, CVSS et al make some amount of sense, ifnothing elseit > standardizes to a common metric and isn't what the sales guy or operations > manager made up. Additionally, what a strange word--shellacking,there is > no 'k' in the word until its made into a present participle. > > > The paper has three angles here: > > Qualitative mappings into quantitative numbers are a sillything todo, > like people trying to do "social science" by usingSurveyMonkey.> > Which is what most people are or were selling. > > > It's fine to have a lossy compression algorithm thatemphasizescertain > aspects of the input signal over others, of course, but anadditionalCERT/ > CC critique is we have no reason to think CVSS does this in any useful way. > > Well there 's a missing line here, you can see it from the waythat> client-side attacks perverted the concept of remote and sothey madethem > remote also instead of adding the new line to the plot.Because ofstuff > like this. everything is remote now which limits itsusefulness. This> doesn't even touch on the fact that most of the CVE database is basically > wrong from submissions including very limited data, id est"memory> corruption results in a DoS". > > Nathaniel > > 在 2019-01-09 00:14:00,"Dave Aitel" <dave.aitel () cyxtera com>写道:> > > I wanted to take a few minutes and do a quick highlight ofapaper from > CMU-CERT which I think most people have missed outon: https://> resources.sei.cmu.edu/asset_files/WhitePaper/ 2018_019_001_538372.pdf > > Towards Improving CVSS - resources.sei.cmu.edu > resources.sei.cmu.edu > SOFTWARE ENGINEERING INSTITUTE | CARNEGIE MELLON UNIVERSITY > REV-03.18.2016.0 Distribution Statement A: Approved forPublicRelease; > Distribution Is Unlimited TOWARDS IMPROVING CVSS > It's almost as funny a read as their previous best work onhow "> clientless HTTPS VPNs are insanely dumb what were youthinkingomg?" > > They use a ton of big words in the paper to call CVSS outandgive it a > shellacking. Like most of you, we have extensive use ofCVSS inour > consulting practice and I've seen this stuff first hand.CVSS isof > course just a buggy compression algorithm for takingcomplex> qualitative data and then putting it on a number line. Thepaperhas > three angles here: > 1. Qualitative mappings into quantitative numbers are asillything to > do, like people trying to do "social science" by using > SurveyMonkey. > 2. We're pretty sure that the compression algorithm isnot, infact, > putting higher risk items as bigger numbers, which isthewhole > point of the thing. > 3. Nobody is applying this in any sort of consistent way(whichis > probably impossible) which is ALSO the whole point ofthething. > > It's fine to have a lossy compression algorithm thatemphasizescertain > aspects of the input signal over others, of course, but an additional > CERT/CC critique is we have no reason to think CVSS doesthis inany > useful way. > > > There's definitely people in the CVSS process (who I willavoidcalling > out by name) who think ANY quantization is good. But readthepaper and > decide for yourself - because these are probably seriousissuesthat > are turning your entire risk org into aGarbage-In-Garbage-Outorg... > > > -dave > > > > > > > > _______________________________________________ > Dailydave mailing list > Dailydave () lists immunityinc com > https://lists.immunityinc.com/mailman/listinfo/dailydave > > _______________________________________________ > Dailydave mailing list > Dailydave () lists immunityinc com > https://lists.immunityinc.com/mailman/listinfo/dailydave -- Adam Shostack President, Shostack & Associates https://associates.shostack.org • +1 917 391 2168 Join my very quiet annnoucement list:https://adam.shostack.org/newthing-- Adam Shostack President, Shostack & Associates https://associates.shostack.org • +1 917 391 2168 Join my very quiet annnoucement list: https://adam.shostack.org/newthing
_______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- Re: CVSS is the worst compression algorithm ever, (continued)
- Re: CVSS is the worst compression algorithm ever Adrian Sanabria (Jan 10)
- Re: CVSS is the worst compression algorithm ever Thierry Zoller (Jan 10)
- Re: CVSS is the worst compression algorithm ever Monroe, Bruce (Jan 10)
- Re: CVSS is the worst compression algorithm ever Adrian Sanabria (Jan 11)
- Re: CVSS is the worst compression algorithm ever Dennis Groves (Jan 10)
- Re: CVSS is the worst compression algorithm ever Adrian Sanabria (Jan 10)
- Re: CVSS is the worst compression algorithm ever Adam Shostack (Jan 10)
- Re: CVSS is the worst compression algorithm ever Adrian Sanabria (Jan 11)
- Re: CVSS is the worst compression algorithm ever Adam Shostack (Jan 11)
- Re: CVSS is the worst compression algorithm ever Adrian Sanabria (Jan 11)
- Re: CVSS is the worst compression algorithm ever Nathaniel Ferguson (Jan 11)
- Re: CVSS is the worst compression algorithm ever Dave Aitel (Jan 10)
- Re: CVSS is the worst compression algorithm ever Eric Schultz (Jan 10)