[Owasp-webcert] Metrion 2.0 Slides

Mark Curphey mark at curphey.com
Mon Aug 13 05:43:54 EDT 2007


This is great. Let me take this information and make a first pass at what
this may look like in relation to this OWASP project today or tomorrow. I
will also give you a call and see if you have some time to talk through this
over the phone. The goal of minimal subjectivity is surely key for everyone
(without my cynical Britishness coming out) with a vested interest in this. 

 

From: owasp-webcert-bounces at lists.owasp.org
[mailto:owasp-webcert-bounces at lists.owasp.org] On Behalf Of Chris Wysopal
Sent: Thursday, August 09, 2007 3:37 PM
To: owasp-webcert at lists.owasp.org
Subject: Re: [Owasp-webcert] Metrion 2.0 Slides

 

 

It is possible to use parts of the scoring system without using the whole
thing.  That is why CVSS broke the formula down into 3 major levels, base,
temporal, and environmental which all build on each other.  Even within one
level such as temporal you can always set a value to 1 to take the worst
case scenario which is what you should do if you are missing a data point.

 

I am not sure it is that much work to calculate.  You either have the data
points or you don't and you just plug the numbers into a spreadsheet.  The
main benefit of the scoring system is it eliminates subjectivity as much as
possible.  We want the results to be biased by the auditor as little as
possible. The scoring system may have biases but at least every assessment
is biased the same way.  These biases can be corrected over time.  This type
of correction was done when CVSS moved from v1 to v2. 

 

One of the main reasons I want to introduce a common way of scoring
weaknesses is I want to be able to take the results of static analysis (both
automated and manual) and combine them with the results of dynamic analysis
(both automated and manual).  Static analysis often can't acertain
exploitability.  It is usually an estimate so this factor has to be worked
into the equation. Any automated tool will have only a certain confidence in
getting it right.  Even human make mistakes but usually on the false
negative side. 

 

Another reason for a scoring system is manual reviews often are not rigorous
with weighting their findings. A scoring system would force a manual
reviewer to categorize the flaw using CWE and then use the formula. This way
all manual review results are standardized and can be merged with automated
results seamlessly.

 

-Chris

 

 

  _____  

From: owasp-webcert-bounces at lists.owasp.org
[mailto:owasp-webcert-bounces at lists.owasp.org] On Behalf Of Mark Curphey
Sent: Thursday, August 09, 2007 5:44 AM
To: owasp-webcert at lists.owasp.org
Subject: Re: [Owasp-webcert] Metrion 2.0 Slides

Brilliant stuff. I know Chris is on the list. 

 

What I REALLY like is the ability to put tangible numbers to things and
provide confidence levels. 

 

My question is do you think this could be applied to a scheme like the one I
am proposing (i.e. from what I can see from the slides there is a lot of
work to calculate this) ?

 

From: owasp-webcert-bounces at lists.owasp.org
[mailto:owasp-webcert-bounces at lists.owasp.org] On Behalf Of Bellis, Ed
Sent: Wednesday, August 08, 2007 8:49 PM
To: owasp-webcert at lists.owasp.org
Subject: Re: [Owasp-webcert] Metrion 2.0 Slides

 

And here's Wysopal's slides:

 

"Software Security Weakness Scoring" 
Chris Wysopal (Veracode) Slides
<https://securitymetrics.org/content/attach/Metricon2.0/Wysopal-metricon2.0-
software-weakness-scoring.ppt> 

 

Very appropriate for this list.

 

-Ed

 

 

  _____  

From: owasp-webcert-bounces at lists.owasp.org
[mailto:owasp-webcert-bounces at lists.owasp.org] On Behalf Of Mark Curphey
Sent: Wednesday, August 08, 2007 9:22 AM
To: owasp-webcert at lists.owasp.org
Subject: [Owasp-webcert] Metrion 2.0 Slides

 

I am waiting on Wysopals slides to be posted but these have some great stuff
in. 

 

"Security Metrics in Practice: Development of a Security Metric System to
Rate Enterprise Software" 
Fredrick DeQuan Lee and Brian Chess (Fortify) Slides
<https://securitymetrics.org/content/attach/Metricon2.0/Lee_metricon20070807
.ppt> http://www.securitymetrics.org/content/images/out.png 

"A Software Security Risk Classification System" 
Eric Dalci and Robert Hines (Cigital) Slides
<https://securitymetrics.org/content/attach/Metricon2.0/Metricon_edalci_rhin
es_Final.pdf> http://www.securitymetrics.org/content/images/out.png

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-webcert/attachments/20070813/18b5ae06/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 936 bytes
Desc: not available
Url : https://lists.owasp.org/pipermail/owasp-webcert/attachments/20070813/18b5ae06/attachment.gif 


More information about the Owasp-webcert mailing list