P.J. Ponder writes:

In your recent post to the cypherpunks mailing list you proposed a taxonomy of security weaknesses and vulnerabilities, adding that these

Please watch your attribution. Vlad Nuri proposed this rating scheme.

The whole idea of categorizing or ranking holes and vulnerabilities ab intitio, outside of their contextual application to a real system is not very helpful. Systems vary so widely in their criticalities, sensitivities, costs, etc., that each of your pre-defined categorized weaknesses would have to be rejudged - in the context of the system being analyzed - to determine how, and to what extent it could effect the system.

I absolutely agree with you on this point. I'll point out again that this is the same problem as creating a rating scheme for the security of *products*.

The standard approach as I understand it is to analyze the system against all the known vulnerabilities and attempt to measure (maybe only qualitatively) the risks associated with the vulnerabilities.

It is popular these days to jump on the risk assessment bandwagon and forget about assurance. This occurs because people think risk assessment is a quick fix that you can do after the system is built and configured. Some holes cannot be patched. --Jeff Williams <mailto:williams@arca.com>