|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [Dailydave] The CrateMaster2000 of Security.
andre
operations.net
Date: Thu Jan 25 2007 - 18:42:12 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Anton,
Dave is probably speaking about how CVSS is a weak measurement of
vulnerabilities. Microsoft Press has documented in dealing with
threats vs. vulnerabilities in "Threat Modeling" and "Hunting Security
Bugs".
For example, Microsoft introduced STRIDE (threat-modeling) to augment
their DREAD vulnerability rating system. You may also want to look at
non-Microsoft threat-modeling such as CIAA or Trike (presented at
ToorCon 2005).
Also, speaking directly to CVSS is a blog entry and comment on OSVDB's blog:
http://osvdb.org/blog/?p=147#comments
-dre
On 1/25/07, Anton Chuvakin <antonchuvakin.org> wrote:
> > somehow perfectly satirized by Old Man Murray's CrateMaster2000
> > (http://www.oldmanmurray.com/features/39.html), then it's time to go
> > back to the drawing board. CVSS, we're looking at you here.
>
> So, I am curious, how is CVSS like a CrateMaster 2000?
>
> --
> Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA
> http://www.chuvakin.org
> http://chuvakin.blogspot.com
> http://www.info-secure.org
> _______________________________________________
> Dailydave mailing list
> Dailydavelists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>
_______________________________________________
Dailydave mailing list
Dailydavelists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]