On Fri, Feb 27, 2009 at 5:36 AM, Thierry Zoller <[email protected]> wrote: > > Hi, > > Michal with all due respect I'd like to beg to differ (and maybe be > too nitpicky here). > > MZ> Vulnerabilities are a subset of software engineering bugs. > I do not think this is the case (lack of the term software). How's > this for being nitpicky ? ;) > > In my book, maybe only in mine, a software bug is security relevant > (sorry for the lack of clarity - it's late over here) as soon as > Integrity / Availabilty / Confidentiality are under arbritary direct > or indirect control of a another entity (i.e attacker). Period, > personaly this represents the ultima ratio > > After this - it's just a measure of _how much_. And the question of how much > is a completely other one. > > Example > If a chrome tab can be crashed arbritarely (remotely) it is a DoS attack > but with ridiculy low impact to the end-user as it only crashes the tab > it was subjected to, and not the whole browser or operation system. > But the fact remains that this was the impact of a DoS condition, > the tab crashes arbritarily.
Eh? If you visit www.evil.com and your tab crashes, that's no different from www.evil.com closing its own tab with Javascript. Cheers Chris > > > MZ> As the name > MZ> implies, they are defined strictly by the impact they have; if a bug > MZ> does not render the victim appreciably susceptible to anything that > MZ> would be of value to external attackers, it is not a security problem. > You define vulnerability like a boolean that is true when the impact is of > value to the attacker. "would be of value to external attacker" - I > cleary disgress, I don't think that a the nature/ of a bug > (vulnerability) can be defined by the "value" it has for the attacker. > What about damage to the victim ? What about lost revenue, agreement > breaches etc pp. I'd not recommend to measure security from the perspective > of the attacker, but rather the (potential) loss of the entity that tries to > measure. > > MZ> Anyway... bottom line is, any attempts to formalize the criteria are > MZ> bound to fail (and have mostly failed in the past), and common sense > MZ> is the best tool we have. > > If we want to arrive at a state where risk can be managed, it needs > to be measured. And if we aren't that far in 2009 I pity us all. > > -- > http://secdev.zoller.lu > Thierry Zoller > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
