[Owasp-testing] CVSS v2

Christian Heinrich christian.heinrich at cmlh.id.au
Fri May 10 05:32:45 UTC 2013


Colin,

On Fri, May 10, 2013 at 1:19 AM, Colin Watson <colin.watson at owasp.org>wrote:

> On 8 May 2013 09:14, Colin Watson <colin.watson at owasp.org> wrote:>

> I would avoid CVSS2 at all costs for application vulnerabilities if
> > possible. Yes, people have been known to fiddle with the values to
> > obtain the CVSS2 score they want. If anything other than the base
> > score is presented, be suspicious. If the vector is not provided (it
> > is a requirement), then be extremely suspicious.
>

I am not sure how you formed this opinion but the undisputed facts are:

   1. CVSS is intended to provide the priority of the implementation of
   workarounds and patches independent of the "nonces", i.e. those that are
   "Common[VSS]", to the Operating System and/or Application.  Hence, CVSS
   considers a much greater scope than a "single" web application.
   2. The "Base Score" can be verified by consulting either
   http://osvdb.org/ and http://web.nvd.nist.gov/view/vuln/search which are
   *independent* of the affected software vendor.
   3. http://nvd.nist.gov/cvss.cfm?vectorinfo is published by both
   http://osvdb.org/ and http://web.nvd.nist.gov/view/vuln/search also.
   4. It is not possible to calculate the "Temporal Metric" without the
   "Base Metric".  I would be interested in reviewing the source you cited for
   this since the one of the
   http://cmlh.id.au/post/25150772855/cvssv3-call-subjects put forward is
   "a real time for Temporal Metrics"

On Fri, May 10, 2013 at 1:19 AM, Colin Watson <colin.watson at owasp.org>
 wrote:

> On 8 May 2013 09:14, Colin Watson <colin.watson at owasp.org> wrote:>

> CVSS2 has no relevance at all to combinations of vulnerabilities.
>

I'll repeat from 1. above i.e.  "CVSS is intended to provide the priority
of the implementation of workarounds and patches independent of the
"nonces", i.e. those that are "CommonVSS", to the Operating System and/or
Application.  Hence, CVSS considers a much greater scope than a "single"
web application."

On Fri, May 10, 2013 at 1:19 AM, Colin Watson <colin.watson at owasp.org>
 wrote:

> On 8 May 2013 09:14, Colin Watson <colin.watson at owasp.org> wrote:>

> Also, the impact is measures against the target "system", and for many
> > organisations things like data, reputation, human safety, share price,
> > ethics are more important concerns. You need to determine the impact
> > and likelihood for the particular application/organisation.
>

These are "Environmental" vectors that are measured by the end user.

-- 
Regards,
Christian Heinrich

http://cmlh.id.au/contact
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-testing/attachments/20130510/ecf54028/attachment.html>


More information about the Owasp-testing mailing list