|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [Dailydave] Vuln scoring system anyone?
From: Brian Erdelyi (brian_erdelyi
yahoo.com)
Date: Tue Mar 01 2005 - 10:46:16 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
> I just think it was a bit confusing when presented
> without supporting
> text. Maybe you could make it a web app instead of a
> Excel spreadsheet. :>
It took me a little time to find the actual report
explaining the variables and formula. It was at that
point I created the tool.
A web app will be my next version.
> Hmm. I guess my point here is that vendors are very
> bad places to get
> your vulnerability information. When we release a
Assuming base score of 10. No patch and vuln is not
acknowledged by vendors.
Exploitability High
Remediation Level Unavailable
Report Confidence Uncorroborated
Temporal Score 9.5
Once acknowledged by vendor:
Exploitability High
Remediation Level Unavailable
Report Confidence Confirmed
Temporal Score 10
Once patched by vendor:
Exploitability High
Remediation Level Official Fix
Report Confidence Confirmed
Temporal Score 8.7
If vendor confirmation and patch are simultaneous then
the vuln was scored higher before confirmed. I think
this is reasonable (though I think vendors should
confirm the vuln and provide a temporary fix or
workaround before making a patch available).
> The other thing that wasn't answered for me by the
> presentations was:
> What makes this set to metrics more special than
> other metrics? Is it
> just buy in from the vendors? Is there some sort of
> test we can run that
> will demonstrate it's usefulness over others?
Vendor support and an open methodology are significant
differentiators. I think it's too soon to test it's
usefulness over others. Considering the media
attention it's been getting this can help improve
awaress and adoption. I expect vendors of
vulnerability assessment tools will be quick to
incorporate this score.
I think this will benefit Nessus since signature
authors now have a a more consistent way to score the
vulnerability they are testing for.
I think there is a risk of many vulns being scored
"middle of the road" with small variances in values.
It may be difficult to put it in perspective. I think
I'd like to see how a few of the high-profile
vulnerabilities score and compare with each other.
Brian Erdelyi
__________________________________
Do you Yahoo!?
Read only the mail you want - Yahoo! Mail SpamGuard.
http://promotions.yahoo.com/new_mail
_______________________________________________
Dailydave mailing list
Dailydavelists.immunitysec.com
https://lists.immunitysec.com/mailman/listinfo/dailydave
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]