Nmap Development mailing list archives
Re: [RFC] Vulnerability library proposal
From: Christian Heinrich <christian.heinrich () cmlh id au>
Date: Tue, 9 Aug 2011 10:30:55 +1000
Marc, On Mon, Aug 8, 2011 at 7:10 PM, Marc Ruef <marc.ruef () computec ch> wrote:
We may suggest to define a solid risk factor definition. Something like CVSS would be good (but is also flawed, as I have documented in [5]). If no formal approach is used, at least a clear formulation of risk levels is required. Some comparison between our approach, Qualys and Nessus is available at [6].
The advantage of CVSS is the Environmental metric which has the end user calculating the priority to implement the fix or workaround independent of the vendor(s)' advisories e.g. which is more urgent? Microsoft or Cisco That stated, if I need to quote the "risk", which infers "severity", then I would reflect the rating(s) used by http://cwe.mitre.org/top25/, https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project, CVSSv2 "Base" Metric, etc Also, inferring "risk" as "severity" alone is a common mistake as inherent (risk) and residual risk i.e. AS/NZS ISO 31000:2009 are measured based on likelihood i.e. CVSSv2's Temporal Metrics. BTW, I really enjoyed your research on the statistical analysis of CVSS Base Scores. -- Regards, Christian Heinrich http://cmlh.id.au/contact _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: [RFC] Vulnerability library proposal, (continued)
- Re: [RFC] Vulnerability library proposal Djalal Harouni (Aug 09)
- RE: [RFC] Vulnerability library proposal Rob Nicholls (Aug 09)
- Re: [RFC] Vulnerability library proposal Christian Heinrich (Aug 09)
- RE: [RFC] Vulnerability library proposal Rob Nicholls (Aug 09)
- Re: [RFC] Vulnerability library proposal Djalal Harouni (Aug 09)
- Re: [RFC] Vulnerability library proposal Djalal Harouni (Aug 12)
- Re: [RFC] Vulnerability library proposal Djalal Harouni (Aug 09)
- Re: [RFC] Vulnerability library proposal Christian Heinrich (Aug 09)
- Re: [RFC v2] Vulnerability library proposal Marc Ruef (Aug 12)
- Re: [RFC v2] Vulnerability library proposal Djalal Harouni (Aug 12)