Konrad,
On Sun, 7 Apr 2019 at 08:17, Christian Heinrich
wrote:
>
>>On Wed, 9 Jan 2019 at 06:23, Konrads Smelkovs
>> wrote:
>>CMU are actually active contributor to the CVSS specification.
>
> https://www.linkedin.com/in/sasha-romanosky-6093831/ of CMU is a
> pioneer of
Dave,
On Fri, 11 Jan 2019 at 04:51, Dave Aitel wrote:
> The issue is simplified to: If an SQLi exists, how does that rank for the
> CVSS Confidentiality, Integrity, and Availability sections. Like, here's
> an example: https://nvd.nist.gov/vuln/detail/CVE-2013-0375 . As you
> can see there is
> I try to explain - when you're hiring a pentester, you're paying for their
> opinion as they perform a point-in-time assessment.
Well that's not entirely true, a significant percentage of work comes from
vendors seeking to acquire or utilize another product or an institution going
through
Everywhere I've ever pentested, we've used a low/medium/high or
low/medium/high/critical scale - this is my first encounter with DREAD.
What you describe though - clients attempting to negotiate down the
severity of vulns on the report - was common regardless of the scoring
system used. I don't
Okay, I'll respond generally about DREAD. The issue comes up when
people say "We'll treat a DREAD rating of >= 8 as critical." Then
someone looks at your discoverability of 7, and says "hmm, if this
were a 6, then DREAD would be 7.9...can we change it?" Lacking any
guidance on the difference,
I probably shouldn't have brought it up - I'm not involved much on the
pentesting side. I know we've discussed replacing it, but finding little
out there to replace it with.
In my own work, I find most of my pentesting results come down to a binary
value (hackable, not hackable) and some sense of
termining your orgs risk due to a vulnerability. That
> isn’t a CVSS problem that’s a vulnerability management 101 problem.
>
> Regards,
> Bruce
> Intel PSIRT
>
> Opinions expressed are my own and may not reflect those of my employer.
> *From:* Dailydave *On
> Behalf Of *Dav
On Wed, Jan 09, 2019 at 08:18:48AM -0500, Adrian Sanabria wrote:
> Our pentesters use DREAD, which I think most people have moved on from, but at
> least the scoring is clear and consistent.
I'm sorry, but I need to rant a little.
A decade back, I wrote a "DREAD is DEAD, please stop" blog post
rds,
Bruce
Opinions expressed are my own and may not reflect those of my employer.
From: Dailydave On Behalf Of Adrian
Sanabria
Sent: Thursday, January 10, 2019 8:02 AM
To: Wim Remes
Cc: dailydave@lists.immunityinc.com
Subject: Re: [Dailydave] CVSS is the worst compression algorithm ever
Okay, we k
CVSS needs to be embedded as a parameter/criteria in a Risk Evaluation;
it is not a risk indicator in itself and should not be used for patch
prioritisation in itself.
The importance of the asset (business process it supports, revenue
generated by adjacent processes etc.) .i.e the
CVSS' greatest attribute is that it lets assessors fudge the numbers to
make assessors happy and gives risk people some kind of industry standard
document/organization attesting to the risk. Everyone wins.
It's only when people start asking (valid) questions where things fall
apart.
There are
Ok, so half of FIRST or the CVSS team is angry at me for my tweets about
the examples on FIRST.com being wrong. But here, in general, is a common
issue I see with CVSS scores in our deliverables, that I try to correct,
although admittedly I'm not an expert at CVSS itself.
The issue is simplified
e my own and may not reflect those of my employer.
> *From:* Dailydave *On
> Behalf Of *Dave Aitel
> *Sent:* Tuesday, January 08, 2019 8:14 AM
> *To:* dailydave@lists.immunityinc.com
> *Subject:* [Dailydave] CVSS is the worst compression algorithm ever
>
>
> I wanted to
I'm going to nitpick this. Not because your complaints about CVSS are bad,
just that they are unsupported and insufficiently explained.
On Tue, Jan 8, 2019 at 8:23 AM Dave Aitel wrote:
> I wanted to take a few minutes and do a quick highlight of a paper from
> CMU-CERT which I think most people
CVSS is useful, but not in isolation.
Let me back up a bit. Apologies, but I'm going to rant a bit and mention my
employer. Not because I want to shill product, but because this issue is
the entire reason I joined this vendor in the first place. I had offers for
a lot more money elsewhere, but
agement 101 problem.
>
> Regards,
> Bruce
> Intel PSIRT
>
> Opinions expressed are my own and may not reflect those of my employer.
> <>From: Dailydave On Behalf Of
> Dave Aitel
> Sent: Tuesday, January 08, 2019 8:14 AM
> To: dailydave@lists.immunityinc.
> They use a ton of big words in the paper to call CVSS out and give it a
> shellacking. Like most of you, we have extensive use of CVSS in our
> consulting practice and I've seen this stuff first hand. CVSS is of course
> just a buggy compression algorithm for taking complex qualitative data
are my own and may not reflect those of my employer.
From: Dailydave On Behalf Of Dave
Aitel
Sent: Tuesday, January 08, 2019 8:14 AM
To: dailydave@lists.immunityinc.com
Subject: [Dailydave] CVSS is the worst compression algorithm ever
I wanted to take a few minutes and do a quick highlight
The question is not whether it is a bad metric, but whether it is a useful
one.
As a lurker on the first.org mailing list for CVSSv3 SIG, I can assure you
that there are a lot of discussions about edge cases etc. v3 is a
meaningful improvement over v2. So far, CVSS has allowed industry broadly
to
I wanted to take a few minutes and do a quick highlight of a paper from
CMU-CERT which I think most people have missed out on:
https://resources.sei.cmu.edu/asset_files/WhitePaper/2018_019_001_538372.pdf
Towards Improving CVSS -
20 matches
Mail list logo