[WEB SECURITY] Poll: How do you rank the importance of a vulnerability?

Paweł Krawczyk pawel.krawczyk at hush.com
Fri Feb 1 02:00:46 EST 2013

CVSS is a large step in right direction, away from subjective 1-5 or
Low-High scores, but I still have a large practical problem with how
it's counted. CVSS has one issue that results in typical reports being
flooded by mix of really important and less important vulnerabilities
that will be difficult to distinguis even using CVSS subscores. For
example consider these two examples: 
* remote bug in sshd * bug in libtiff 

Let's assume sshd is exploitable over network (AV=N). Let's assume
libtiff can be exploited by someone who would need to open a malformed
TIFF - but that would also have AV=N because it's assumed the file is
delivered over network. This is at least how most of these vulns are
classified in Qualys. 
Obviously, the real risk is completely different in each case - sshd
just sits there and waits to be exploited, for libtiff you'd need a
rather rare opportunity (someone opening TIFFs on server). 
I've once asked CVSS team about this and they replied that this should
be theoretically captured by Access Complexity (AC) - for libtiff it
AC=H (as you need to use social engineering for example), for sshd
AC=L (just go and metasploit over network). 
But in real life scores of both vulns will be very similar. At the end
of the day you end up with a report flooded by say 100 issues for each
server, out of which usually all will be like that libtiff. And you
have no way to filter them out to focus on sshd-type vulns because of
how the classification is calculated. 

 Paweł Krawczyk, CISSP
 http://ipsec.pl http://echelon.pl
 +48 602 776959

On 1/2/2013 at 12:58 AM, "Robert A."  wrote:Where would you suggest
this poll be held? Keep in mind I have no time to 
create or implement a polling application :)

- Robert

On Thu, 31 Jan 2013, MustLive wrote:

> Hello Robert!
> It's interesting poll and webappsec professionals and experts could
> interested to participate in the poll. But you've selected not
> place for opening the poll.
> You've opened it in LinkedIn. That one, which was hacked last year.
This is
> social network and none of social networks are attending to
security. It's
> not the place for polls on web applications security topics ;-).
Plus I'm
> not using LinkedIn and any s.networks at all (and the poll requires
> registration in it).
> P.S.
> I am agree with Phillip's standpoint.
> Best wishes & regards,
> Eugene Dokukin aka MustLive
> Administrator of Websecurity web site
> http://websecurity.com.ua
> Robert A. robert at webappsec.org
> Wed Jan 9 18:35:02 EST 2013
>> Greetings,
>> I've added a new poll to the WASC linkedin group that a few of you
may be
>> interested in. Specifically asking how people rank the importance
>> vulnerabilities.
>> Link
>> Regards,
>> Robert A.
>> WASC Co Founder/Moderator of The Web Security Mailing List
>> http://www.webappsec.org.

The Web Security Mailing List

WebSecurity RSS Feed

Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter

websecurity at lists.webappsec.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20130201/15490d21/attachment-0003.html>

More information about the websecurity mailing list