Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [RFC] Vulnerability library proposal

From: Christian Heinrich <christian.heinrich () cmlh id au>
Date: Tue, 9 Aug 2011 10:30:55 +1000
Marc,

On Mon, Aug 8, 2011 at 7:10 PM, Marc Ruef <marc.ruef () computec ch> wrote:

We may suggest to define a solid risk factor definition. Something like CVSS
would be good (but is also flawed, as I have documented in [5]). If no
formal approach is used, at least a clear formulation of risk levels is
required. Some comparison between our approach, Qualys and Nessus is
available at [6].


The advantage of CVSS is the Environmental metric which has the end
user calculating the priority to implement the fix or workaround
independent of the vendor(s)' advisories e.g. which is more urgent?
Microsoft or Cisco

That stated, if I need to quote the "risk", which infers "severity",
then I would reflect the rating(s) used by
http://cwe.mitre.org/top25/,
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project, CVSSv2
"Base" Metric, etc

Also, inferring "risk" as "severity" alone is a common mistake as
inherent (risk) and residual risk i.e. AS/NZS ISO 31000:2009 are
measured based on likelihood i.e. CVSSv2's Temporal Metrics.

BTW, I really enjoyed your research on the statistical analysis of
CVSS Base Scores.


-- 
Regards,
Christian Heinrich

http://cmlh.id.au/contact
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: