[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Security Spectra
P.J. Ponder writes:
> In your recent post to the cypherpunks mailing list you proposed a
> taxonomy of security weaknesses and vulnerabilities, adding that these
Please watch your attribution. Vlad Nuri proposed this rating scheme.
> The whole idea of categorizing or ranking holes and vulnerabilities ab
> intitio, outside of their contextual application to a real system is not
> very helpful. Systems vary so widely in their criticalities,
> sensitivities, costs, etc., that each of your pre-defined categorized
> weaknesses would have to be rejudged - in the context of the system being
> analyzed - to determine how, and to what extent it could effect the system.
I absolutely agree with you on this point. I'll point out again that this
is the same problem as creating a rating scheme for the security of
> The standard approach as I understand it is to analyze the system against
> all the known vulnerabilities and attempt to measure (maybe only
> qualitatively) the risks associated with the vulnerabilities.
It is popular these days to jump on the risk assessment bandwagon and
forget about assurance. This occurs because people think risk assessment
is a quick fix that you can do after the system is built and configured.
Some holes cannot be patched.
--Jeff Williams <mailto:[email protected]>