Dailydave mailing list archives
Re: Vuln scoring system anyone?
From: Ron Gula <rgula () tenablesecurity com>
Date: Sat, 26 Feb 2005 20:10:21 -0500
At 06:23 PM 2/25/2005, Tom Parker wrote:
So what are peoples thoughts on: http://www.newscientist.com/article.ns?id=dn7040It strikes me that although it may be a good idea to try and rate a vulnerability based on its severity, using metrics which measure factors such as ease of exploitation, initial levels of access required etc, rating the "urgency" of an issue (which sounds like remediation prioritization to me), solely on the severity seems like a mistake. People are going to use these ratings to prioritize remediation, and yet their metrics seem to say nothing about the respective asset. Perhaps I've missed the point of the system here; this is a topic I gas about all of the time, so I wont bore you - I'm just curious to hear what peoplethink. Peace, -Tom
I love the progression in this industry ;) On one hand, I see people who are offended by the typical red/yellow/green types of vulnerability labels. On the other hand, there are so many new people to security, I run into a lot of people who can't discriminate between cross site scripting and overflows in there core deamons. I'm all for labels and forms of classification if they make sense, but more and more, when folks whack their top 10 or top 20 list of vulnerabilities, there are hundreds more left over which get bumped up to a new set of top 10 or 20 .... Ron Gula _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Official Immunity Defcon Clothing! Holden Williamson (Feb 25)
- Re: Official Immunity Defcon Clothing! Dave Aitel (Feb 25)
- Re: Official Immunity Defcon Clothing! Holden Williamson (Feb 25)
- Vuln scoring system anyone? Tom Parker (Feb 25)
- Re: Vuln scoring system anyone? security curmudgeon (Feb 25)
- Re: Vuln scoring system anyone? Dragos Ruiu (Feb 25)
- Re: Vuln scoring system anyone? robert (Feb 26)
- Re: Vuln scoring system anyone? Florian Weimer (Feb 26)
- Re: Vuln scoring system anyone? Ron Gula (Feb 26)
- Re: Official Immunity Defcon Clothing! Holden Williamson (Feb 25)
- Re: Official Immunity Defcon Clothing! Dave Aitel (Feb 25)