Dailydave mailing list archives
Re: CVSS is the worst compression algorithm ever
From: toby <toby00 () gmail com>
Date: Wed, 9 Jan 2019 00:37:38 -0800
I'm going to nitpick this. Not because your complaints about CVSS are bad, just that they are unsupported and insufficiently explained. On Tue, Jan 8, 2019 at 8:23 AM Dave Aitel <dave.aitel () cyxtera com> wrote:
I wanted to take a few minutes and do a quick highlight of a paper from CMU-CERT which I think most people have missed out on: https://resources.sei.cmu.edu/asset_files/WhitePaper/2018_019_001_538372.pdf Towards Improving CVSS - resources.sei.cmu.edu <https://resources.sei.cmu.edu/asset_files/WhitePaper/2018_019_001_538372.pdf> resources.sei.cmu.edu SOFTWARE ENGINEERING INSTITUTE | CARNEGIE MELLON UNIVERSITY REV-03.18.2016.0 Distribution Statement A: Approved for Public Release; Distribution Is Unlimited TOWARDS IMPROVING CVSS It's almost as funny a read as their previous best work on how "clientless HTTPS VPNs are insanely dumb <https://www.kb.cert.org/vuls/id/261869/> what were you thinking omg?" They use a ton of big words in the paper to call CVSS out and give it a shellacking. Like most of you, we have extensive use of CVSS in our consulting practice and I've seen this stuff first hand. CVSS is of course just a buggy compression algorithm for taking complex qualitative data and then putting it on a number line. The paper has three angles here: 1. Qualitative mappings into quantitative numbers are a silly thing to do, like people trying to do "social science" by using SurveyMonkey.
A. I have been smacking people who try to pretend that qualitative measurements are made better by wrapping them in numbers for 15 years. I completely agree. Second. We use numbers to represent qualitative values to enable reasoning. You can't multiply High * Medium * Low but you can multiply 5 * 3 * 1. That's not turning qualitative data into quantitative data it is just providing a short cut to think about qualitative data. Finally. Social sciences when done right are collecting quantitative data about qualitative data so Survey Monkey is actually useful from that perspective. We will set aside the problem of selection bias due to access and interest in participation for the moment. The point stands; a single person's assessment of a qualitative thing is not data. 10,000 people's assessment of that qualitative thing is data.
1. We're pretty sure that the compression algorithm is not, in fact, putting higher risk items as bigger numbers, which is the whole point of the thing. 2. Nobody is applying this in any sort of consistent way (which is probably impossible) which is ALSO the whole point of the thing. It's fine to have a lossy compression algorithm that emphasizes certain aspects of the input signal over others, of course, but an additional CERT/CC critique is we have no reason to think CVSS does this in any useful way.
1. By definition every compression algorithm emphasizes certain aspects of the signal over others. In this case you are complaining that the parts that are emphasized are not the ones you think are important. B. That's completely reasonable. Offer me an alternative. Seriously, I'm not a fan of CVSS but I haven't seen a better alternative to a complete memory dump and description of all the consequences beyond that. So give me an alternative or grab me at the next conference and ply me with drinks and conversation and we can debate it.
There's definitely people in the CVSS process (who I will avoid calling out by name) who think ANY quantization is good. But read the paper and decide for yourself - because these are probably serious issues that are turning your entire risk org into a Garbage-In-Garbage-Out org...
That I cannot agree more with.
-dave _______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- Re: CVSS is the worst compression algorithm ever, (continued)
- Re: CVSS is the worst compression algorithm ever Monroe, Bruce (Jan 10)
- Re: CVSS is the worst compression algorithm ever Adrian Sanabria (Jan 11)
- Re: CVSS is the worst compression algorithm ever Dennis Groves (Jan 10)
- Re: CVSS is the worst compression algorithm ever Nathaniel Ferguson (Jan 08)
- Re: CVSS is the worst compression algorithm ever Adrian Sanabria (Jan 10)
- Re: CVSS is the worst compression algorithm ever Adam Shostack (Jan 10)
- Re: CVSS is the worst compression algorithm ever Adrian Sanabria (Jan 11)
- Re: CVSS is the worst compression algorithm ever Adam Shostack (Jan 11)
- Re: CVSS is the worst compression algorithm ever Adrian Sanabria (Jan 11)
- Re: CVSS is the worst compression algorithm ever Nathaniel Ferguson (Jan 11)
- Re: CVSS is the worst compression algorithm ever Adrian Sanabria (Jan 10)
- Re: CVSS is the worst compression algorithm ever Dave Aitel (Jan 10)
- Re: CVSS is the worst compression algorithm ever Eric Schultz (Jan 10)