[Owasp-webcert] Metrion 2.0 Slides

Chris Wysopal cwysopal at Veracode.com
Thu Aug 9 09:36:42 EDT 2007


 
It is possible to use parts of the scoring system without using the
whole thing.  That is why CVSS broke the formula down into 3 major
levels, base, temporal, and environmental which all build on each other.
Even within one  level such as temporal you can always set a value to 1
to take the worst case scenario which is what you should do if you are
missing a data point.
 
I am not sure it is that much work to calculate.  You either have the
data points or you don't and you just plug the numbers into a
spreadsheet.  The main benefit of the scoring system is it eliminates
subjectivity as much as possible.  We want the results to be biased by
the auditor as little as possible. The scoring system may have biases
but at least every assessment is biased the same way.  These biases can
be corrected over time.  This type of correction was done when CVSS
moved from v1 to v2. 
 
One of the main reasons I want to introduce a common way of scoring
weaknesses is I want to be able to take the results of static analysis
(both automated and manual) and combine them with the results of dynamic
analysis (both automated and manual).  Static analysis often can't
acertain exploitability.  It is usually an estimate so this factor has
to be worked into the equation. Any automated tool will have only a
certain confidence in getting it right.  Even human make mistakes but
usually on the false negative side. 
 
Another reason for a scoring system is manual reviews often are not
rigorous with weighting their findings. A scoring system would force a
manual reviewer to categorize the flaw using CWE and then use the
formula. This way all manual review results are standardized and can be
merged with automated results seamlessly.
 
-Chris
 

________________________________

From: owasp-webcert-bounces at lists.owasp.org
[mailto:owasp-webcert-bounces at lists.owasp.org] On Behalf Of Mark Curphey
Sent: Thursday, August 09, 2007 5:44 AM
To: owasp-webcert at lists.owasp.org
Subject: Re: [Owasp-webcert] Metrion 2.0 Slides



Brilliant stuff. I know Chris is on the list. 

 

What I REALLY like is the ability to put tangible numbers to things and
provide confidence levels. 

 

My question is do you think this could be applied to a scheme like the
one I am proposing (i.e. from what I can see from the slides there is a
lot of work to calculate this) ?

 

From: owasp-webcert-bounces at lists.owasp.org
[mailto:owasp-webcert-bounces at lists.owasp.org] On Behalf Of Bellis, Ed
Sent: Wednesday, August 08, 2007 8:49 PM
To: owasp-webcert at lists.owasp.org
Subject: Re: [Owasp-webcert] Metrion 2.0 Slides

 

And here's Wysopal's slides:

 

"Software Security Weakness Scoring" 
Chris Wysopal (Veracode) Slides
<https://securitymetrics.org/content/attach/Metricon2.0/Wysopal-metricon
2.0-software-weakness-scoring.ppt>  

 

Very appropriate for this list.

 

-Ed

 

 

________________________________

From: owasp-webcert-bounces at lists.owasp.org
[mailto:owasp-webcert-bounces at lists.owasp.org] On Behalf Of Mark Curphey
Sent: Wednesday, August 08, 2007 9:22 AM
To: owasp-webcert at lists.owasp.org
Subject: [Owasp-webcert] Metrion 2.0 Slides

 

I am waiting on Wysopals slides to be posted but these have some great
stuff in. 

 

"Security Metrics in Practice: Development of a Security Metric System
to Rate Enterprise Software" 
Fredrick DeQuan Lee and Brian Chess (Fortify) Slides
<https://securitymetrics.org/content/attach/Metricon2.0/Lee_metricon2007
0807.ppt>  

"A Software Security Risk Classification System" 
Eric Dalci and Robert Hines (Cigital) Slides
<https://securitymetrics.org/content/attach/Metricon2.0/Metricon_edalci_
rhines_Final.pdf> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-webcert/attachments/20070809/48f6cde4/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 936 bytes
Desc: image001.gif
Url : https://lists.owasp.org/pipermail/owasp-webcert/attachments/20070809/48f6cde4/attachment-0001.gif 


More information about the Owasp-webcert mailing list