New methodology for assessing security vulnerabilities

Hi all,

I have written an article that proposes a new method of assessing security vulnerabilities; instead of just counting them, I suggest a multi-variable approach, with logarithmic weighting.

If you're interested:

http://www.dedoimedo.com/computers/bugs.html

Comments and suggestions are welcome.

Cheers,
Mrk

 

It would be interesting to see how similar or different the "grades" are for some examples in your system vs Common Vulnerability Scoring System v2.

 

Hello,
Well, I'll check, see what comes up.
Cheers,
Mrk

 

I do like this more granular approach.

Vulnerability.
I thing this needs be more like 1000 or more for remote exploits as these can be 100% automated and spread round the world/LAN like wildfire.

Quantitity.
I am not confident on counting number of files modified, as some apps are monolithic, others very modularised into many dlls, could cause unfair bias, also not transposable across diferrent operating systems.

Other issue is that sometimes one patch fixes more than one vulnerability.