Re: Vuln scoring system anyone?

[Ron Gula <rgula () tenablesecurity com>]

At 06:23 PM 2/25/2005, Tom Parker wrote:

> So what are peoples thoughts on:
>
> http://www.newscientist.com/article.ns?id=dn7040
>
> It strikes me that although it may be a good idea to try and rate a 
> vulnerability based on its severity,
> using metrics which measure factors such as ease of exploitation, initial 
> levels of access required etc,
> rating the "urgency" of an issue (which sounds like remediation 
> prioritization to me), solely on the
> severity seems like a mistake. People are going to use these ratings to 
> prioritize remediation, and yet
> their metrics seem to say nothing about the respective asset. Perhaps I've 
> missed the point of the system
> here; this is a topic I gas about all of the time, so I wont bore you - 
> I'm just curious to hear what people
> think.
>
> Peace,
>
> -Tom

I love the progression in this industry ;)

On one hand, I see people who are offended by the typical
red/yellow/green types of vulnerability labels. On the other
hand, there are so many new people to security, I run into
a lot of people who can't discriminate between cross site
scripting and overflows in there core deamons.

I'm all for labels and forms of classification if they
make sense, but more and more, when folks whack their
top 10 or top 20 list of vulnerabilities, there are hundreds
more left over which get bumped up to a new set of top 10
or 20 ....

Ron Gula


















_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave