From: williams@va.arca.com (Jeff Williams)
To: cypherpunks@toad.com
Message Hash: cea9c6d05f45613df29cca32576ce8916abb44df9ec35b08a69e382347e5a702
Message ID: <1665990655.62370147@va.arca.com>
Reply To: N/A
UTC Datetime: 1995-10-17 15:24:53 UTC
Raw Date: Tue, 17 Oct 95 08:24:53 PDT
From: williams@va.arca.com (Jeff Williams)
Date: Tue, 17 Oct 95 08:24:53 PDT
To: cypherpunks@toad.com
Subject: Re: Security Spectra
Message-ID: <1665990655.62370147@va.arca.com>
MIME-Version: 1.0
Content-Type: text/plain
P.J. Ponder writes:
> In your recent post to the cypherpunks mailing list you proposed a
> taxonomy of security weaknesses and vulnerabilities, adding that these
Please watch your attribution. Vlad Nuri proposed this rating scheme.
> The whole idea of categorizing or ranking holes and vulnerabilities ab
> intitio, outside of their contextual application to a real system is not
> very helpful. Systems vary so widely in their criticalities,
> sensitivities, costs, etc., that each of your pre-defined categorized
> weaknesses would have to be rejudged - in the context of the system being
> analyzed - to determine how, and to what extent it could effect the system.
I absolutely agree with you on this point. I'll point out again that this
is the same problem as creating a rating scheme for the security of
*products*.
> The standard approach as I understand it is to analyze the system against
> all the known vulnerabilities and attempt to measure (maybe only
> qualitatively) the risks associated with the vulnerabilities.
It is popular these days to jump on the risk assessment bandwagon and
forget about assurance. This occurs because people think risk assessment
is a quick fix that you can do after the system is built and configured.
Some holes cannot be patched.
--Jeff Williams <mailto:williams@arca.com>
Return to October 1995
Return to “williams@va.arca.com (Jeff Williams)”
1995-10-17 (Tue, 17 Oct 95 08:24:53 PDT) - Re: Security Spectra - williams@va.arca.com (Jeff Williams)