[Dailydave] smaller errors eroding situational awareness.
security curmudgeon
jericho at attrition.org
Sun Aug 18 01:07:29 EDT 2013
: Jericho and I touched on this challenge a little bit when we said that
: "Vulns are gonna get weirder" in our Black Hat presentation on why
: vulnerability statistics suck (slide 79), plus there is the general
: theme of CVSS's limitations for risk assessment by various presenters in
: the past year or two. Unfortunately, the number of people who complain
: about CVSSv2 is exponentially smaller than the number of people who are
: actively contributing to the development of CVSSv3 which is ongoing, but
: I digress into uncomfortable observations.
I'd have to listen to audio again, but pretty sure that I very, very
briefly touched on vulnerability chains, and immediately moved on. Why?
CVSSv2 is a mess. CVSSv3 promises to resolve some fundamental headaches.
I don't see any scoring system properly deal with chaining in this decade.
More information about the Dailydave
mailing list