Security Spectra

[Jeff Williams]

P.J. Ponder writes:

> In your recent post to the cypherpunks mailing list you proposed a 
> taxonomy of security weaknesses and vulnerabilities, adding that these 

Please watch your attribution.  Vlad Nuri proposed this rating scheme.

> The whole idea of categorizing or ranking holes and vulnerabilities ab 
> intitio, outside of their contextual application to a real system is not 
> very helpful.  Systems vary so widely in their criticalities, 
> sensitivities, costs, etc., that each of your pre-defined categorized 
> weaknesses would have to be rejudged - in the context of the system being 
> analyzed - to determine how, and to what extent it could effect the system.

I absolutely agree with you on this point.  I'll point out again that this
is the same problem as creating a rating scheme for the security of
*products*.

> The standard approach as I understand it is to analyze the system against
> all the known vulnerabilities and attempt to measure (maybe only
> qualitatively) the risks associated with the vulnerabilities.

It is popular these days to jump on the risk assessment bandwagon and
forget about assurance.  This occurs because people think risk assessment
is a quick fix that you can do after the system is built and configured.
Some holes cannot be patched.

--Jeff Williams  <mailto:williams at arca.com>