RE: Vuln scoring system anyone?

["Ben Nagy" <ben () iagu net>]

Hi, n00b post etc.

> -----Original Message-----
> From: dailydave-bounces () lists immunitysec com 
> [mailto:dailydave-bounces () lists immunitysec com] On Behalf Of 
> Tom Parker
[...]
> Well, the basis of most of the theory which CVSS rates vuln severity
> on seems fairly sound

I guess it's better than nothing.

> however I stand by my original point, 
> that there
> is no mention anywhere, that the perceived asset value needs to be
> factored in at some point.
>
> When you start thinking about vulnerability risk

Every sensible vendor [1] is going to do this. All this CVSS stuff is
intended to do is score vulnerability Severity - don't mix that up with Risk
with a big 'r'. The tools from the vendors will then combine this severity
with the asset value, and ideally also something to represent the relative
threat (asset behind firewall safer than asset with ass hanging out on
'net). Risk will then be derived as R=VulnSeverity*Threat*AssetValue, or
some more complicated version of the same thing, and you can go nuts from
there in building big spreadsheets of meaningless numbers.

You're right that it is not up to vendors to tell users what their own
business risk is, but it is up to us to give users tools with which they can
produce those kinds of indications (either qualitative or quantitative with
$$signs) much more easily than today.

Standardising severity is just one step in that direction.

[allgoodstuff snipped]

> Another thing - if a vendor finds out about an 0day in their product
> are they going to issue an initial alert, rating the issue as high
> due to its high impact, lack of fix and the possible presence of a
> POC in the wild, and then re-rate it once they have fixed it, or
> just not tell people about it until it's been fixed? If a vendor
> releases an advisory for an issue that they have fixed, but no POC
> exists for in the public domain, will they update their advisory when
> a POC enters the 'public' domain.

OK, this kind of leads me to the big issue I have with this CVSS - what is
to stop three different vendors from having different opinions on the CIA
impact? What about when once vendor doesn't believe that a POC works, so
they don't update their score? My concern is that this is being touted as
"standardised scoring" when, really, it's not. It's a standardised
methodology, which is (IMHO) much less valuable.

Now, if all the software vendors and vulnerability folks could all agree and
make the CVSS part of a constantly updated field in the CVE, or maybe OSVDB
or something then that would start to get my attention. But who's going to
make that final determination?

> Don't get me wrong, I think the severity rating is a step in the right
> direction - but software vendors are in no place to be preaching to
> folks about remediation urgency/priority/what to eat for lunch.

I don't think any vendor will try that. All the vendors are about is
producing tools that will give you good answers if you input the right
information about your systems. However, there is a big GIGO risk - but
that's not our fault. ;)

All IMHO, does not reflect opinion of my employer, may be flat out wrong.

Cheers,

ben

[1] I work for eEye.


_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave