Comments on: Risk and CVSS (Post 2) http://risktical.com/2008/09/01/risk-and-cvss-post-2/ Assessing, Articulating & Quantifying Information Security Risk Fri, 04 Jun 2010 19:07:42 +0000 hourly 1 http://wordpress.com/ By: Walt Williams http://risktical.com/2008/09/01/risk-and-cvss-post-2/#comment-67 Walt Williams Tue, 09 Sep 2008 12:14:32 +0000 http://risktical.wordpress.com/?p=58#comment-67 This is all for the good in determining a company neutral evaluation of the relative risk for CVSS issues, but any evaluation must be placed within the context of the system you're protecting. XSS may be a larger issue for company X than for company Y based upon their business model. On a similar basis, SQL injection may be a smaller issue for company Y than for company X due to a lack of use of SQL databases under their web application. However the CVSS scoring will flag SQL Injection issues as more critical than XSS for both companies. Creating relative risk metrics from CVSS scoring won't reflect the business model, the assets present, nor the real impact to the organization. As such, any effort to assign risk from CVSS scoring is doomed to be an inadequate model for analyzing risk. This is all for the good in determining a company neutral evaluation of the relative risk for CVSS issues, but any evaluation must be placed within the context of the system you’re protecting. XSS may be a larger issue for company X than for company Y based upon their business model.

On a similar basis, SQL injection may be a smaller issue for company Y than for company X due to a lack of use of SQL databases under their web application.

However the CVSS scoring will flag SQL Injection issues as more critical than XSS for both companies.

Creating relative risk metrics from CVSS scoring won’t reflect the business model, the assets present, nor the real impact to the organization. As such, any effort to assign risk from CVSS scoring is doomed to be an inadequate model for analyzing risk.

]]> By: Risk and CVSS | RiskAnalys.is http://risktical.com/2008/09/01/risk-and-cvss-post-2/#comment-53 Risk and CVSS | RiskAnalys.is Tue, 02 Sep 2008 17:33:34 +0000 http://risktical.wordpress.com/?p=58#comment-53 [...] Hayes is taking me to town in terms of risk content with his last two posts on Risk & CVSS.  I told you his blog was going to be a good [...] [...] Hayes is taking me to town in terms of risk content with his last two posts on Risk & CVSS.  I told you his blog was going to be a good [...]

]]>