New methodology for assessing security vulnerabilities

Discussion in 'other software & services' started by Mrkvonic, Jun 14, 2008.

Thread Status:
Not open for further replies.
  1. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,702
    Hi all,

    I have written an article that proposes a new method of assessing security vulnerabilities; instead of just counting them, I suggest a multi-variable approach, with logarithmic weighting.

    If you're interested:

    http://www.dedoimedo.com/computers/bugs.html

    Comments and suggestions are welcome.

    Cheers,
    Mrk
     
  2. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    It would be interesting to see how similar or different the "grades" are for some examples in your system vs Common Vulnerability Scoring System v2.
     
  3. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,702
    Hello,
    Well, I'll check, see what comes up.
    Cheers,
    Mrk
     
  4. NGRhodes

    NGRhodes Registered Member

    Joined:
    Jun 23, 2003
    Posts:
    2,331
    Location:
    West Yorkshire, UK
    I do like this more granular approach.

    Vulnerability.
    I thing this needs be more like 1000 or more for remote exploits as these can be 100% automated and spread round the world/LAN like wildfire.

    Quantitity.
    I am not confident on counting number of files modified, as some apps are monolithic, others very modularised into many dlls, could cause unfair bias, also not transposable across diferrent operating systems.

    Other issue is that sometimes one patch fixes more than one vulnerability.
     
Loading...
Thread Status:
Not open for further replies.