Re: 'Quantification' of vulnerability rating

[Lionel Ferette <lionel.ferette () belnet be>]

Hello,

In the wise words of Gaurav Kumar, on Thursday 23 June 2005 14:50:
[SNIP]
> Generally in VARs (Vulnerability Assessment Report), we identify the
> vulnerability as Critical, Medium, Low etc, the judgment is based on
> generally perception like buffer overflow is critical vulnerability,
> but I guess it will be better if we can map it to the usage scenario,
> and other parameters like how difficult it is to exploit it, how
> widely the product is used etc. We can give some numbers to all these
> parameters and come up with a model where we can 'quantify'
> vulnerability. Based on this number we can rate the vulnerability
> accordingly.
>
> It is just a thought, please let me know if someone is working on similar
> area. 
Still a work in progress, but you could have a look at CVSS (Common 
Vulnerability Scoring System):
http://www.first.org/cvss/

They try to basically do what you have in mind, taking into account such 
things as vendor input, but also "environmental" issues that are more 
specific to different environments.

Cheers,

Lionel

-- 
"To understand how progress failed to make our lives easier,
please press 3"

Lionel Ferette
BELNET CERT Coordinator

Tel: +32 2 7903385                  http://cert.belnet.be/
Fax: +32 2 7903375                  PGP Key Id: 0x5662FD4B

Attachment: _bin
Description:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/