Dailydave mailing list archives
Re: FW: The CrateMaster2000 of Security.
From: Florian Weimer <fw () deneb enyo de>
Date: Tue, 30 Jan 2007 21:36:04 +0100
* Des Ward:
The biggest issue with CVSS is that the environmental score is far too brief and confusing to make things workable. We need to ask a number of additional questions to get any kind of use out of the scoring mechanism. Take a remotely exploitable vulnerability that needs client interaction, only when changing the remotely exploitable score to to no do you start getting an accurate score.
Yeah, but this is due to the proliferation of "remote" vulnerabilities. In many cases, bugs requiring user interaction to exploit are still pretty much relevant, in others, they are not. It all depends on context, how you have deployed the defective software, and so on. The issue I have with CVSS and similar schemes is that for different industries, different security aspects have different priorities. A typical ISP doesn't care that much about the confidentiality of their customer's packets, or that they pass through their network unchange, but they are very keen on keeping everything running. But within CVSS, there is a built-in ordering that basically says A < I < C (or was it A < C < I?), and this doesn't make sense if the A aspect is the important one for you. If you've got two partial orderings on the same set, there isn't necessarily a total ordering that refines both. 8-) _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- The CrateMaster2000 of Security. Dave Aitel (Jan 25)
- Re: The CrateMaster2000 of Security. Anton Chuvakin (Jan 25)
- Re: The CrateMaster2000 of Security. andre (Jan 26)
- Re: The CrateMaster2000 of Security. Robert Graham (Jan 26)
- Re: The CrateMaster2000 of Security. Ron Gula (Jan 27)
- <Possible follow-ups>
- FW: The CrateMaster2000 of Security. Des Ward (Jan 28)
- Re: FW: The CrateMaster2000 of Security. Florian Weimer (Jan 30)
- Re: FW: The CrateMaster2000 of Security. Des Ward (Jan 30)
- Re: The CrateMaster2000 of Security. Anton Chuvakin (Jan 25)