Anton,
Dave is probably speaking about how CVSS is a weak measurement of
vulnerabilities. Microsoft Press has documented in dealing with
threats vs. vulnerabilities in "Threat Modeling" and "Hunting Security
Bugs".
For example, Microsoft introduced STRIDE (threat-modeling) to augment
their DREAD vulnerability rating system. You may also want to look at
non-Microsoft threat-modeling such as CIAA or Trike (presented at
ToorCon 2005).
Also, speaking directly to CVSS is a blog entry and comment on OSVDB's blog:
http://osvdb.org/blog/?p=147#comments
-dre
On 1/25/07, Anton Chuvakin <anton_at_chuvakin.org> wrote:
> > somehow perfectly satirized by Old Man Murray's CrateMaster2000
> > (http://www.oldmanmurray.com/features/39.html), then it's time to go
> > back to the drawing board. CVSS, we're looking at you here.
>
> So, I am curious, how is CVSS like a CrateMaster 2000?
>
> --
> Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA
> http://www.chuvakin.org
> http://chuvakin.blogspot.com
> http://www.info-secure.org
> _______________________________________________
> Dailydave mailing list
> Dailydave_at_lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>
_______________________________________________
Dailydave mailing list
Dailydave_at_lists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave
Received on Jan 26 2007
Intro
