Dailydave mailing list archives
Dino-VSS
From: Dave Aitel via Dailydave <dailydave () lists aitelfoundation org>
Date: Mon, 10 Aug 2020 19:33:09 -0400
[image: image.png] Bistahieversor or MS08-067? If you had to list out the problems with CVSS it would be like analyzing the anatomical issues of a children's drawing. No part of it fits together properly. Here's a problem: Scoring of threats is not one dimensional, and numbers can't carry the whole story. We need a vulnerability scoring system that's extensible, and programable. But I have an alternative: Take each vulnerability attribute and assign it to a dinosaur part! Is it a client-side? Then it's got legs! Does it need user interaction? Then short stumpy legs. Is it a true remote against a service? Then it's got wings. Is it a root bug? Then it has a big mouth? User-level access? Duckbill. That way, the attributes of the vulnerability reflect themselves as a literal model - a denizen of your Cretatous nightmares. But it rings true - getting attacked by five hundred pre-auth XSS bugs in your web front-end is exactly like getting attacked by a horde of ducks. And of course, vulnerabilities can combine - a LPE + a remote user-level XSS + sandbox escape has legs and teeth. Modeling is better than scoring in every way. Maybe your network is a Animantarx <https://en.wikipedia.org/wiki/Animantarx>, a living citadel, but more likely you're a Diplodocus, a big bag of walking meat getting nibbled to death by ducks. -dave
_______________________________________________ Dailydave mailing list -- dailydave () lists aitelfoundation org To unsubscribe send an email to dailydave-leave () lists aitelfoundation org
Current thread:
- Dino-VSS Dave Aitel via Dailydave (Aug 10)