1995-10-17 - Re: Security Spectra

Header Data

From: williams@va.arca.com (Jeff Williams)
To: cypherpunks@toad.com
Message Hash: cea9c6d05f45613df29cca32576ce8916abb44df9ec35b08a69e382347e5a702
Message ID: <1665990655.62370147@va.arca.com>
Reply To: N/A
UTC Datetime: 1995-10-17 15:24:53 UTC
Raw Date: Tue, 17 Oct 95 08:24:53 PDT

Raw message

From: williams@va.arca.com (Jeff Williams)
Date: Tue, 17 Oct 95 08:24:53 PDT
To: cypherpunks@toad.com
Subject: Re: Security Spectra
Message-ID: <1665990655.62370147@va.arca.com>
MIME-Version: 1.0
Content-Type: text/plain


P.J. Ponder writes:

> In your recent post to the cypherpunks mailing list you proposed a 
> taxonomy of security weaknesses and vulnerabilities, adding that these 

Please watch your attribution.  Vlad Nuri proposed this rating scheme.

> The whole idea of categorizing or ranking holes and vulnerabilities ab 
> intitio, outside of their contextual application to a real system is not 
> very helpful.  Systems vary so widely in their criticalities, 
> sensitivities, costs, etc., that each of your pre-defined categorized 
> weaknesses would have to be rejudged - in the context of the system being 
> analyzed - to determine how, and to what extent it could effect the system.

I absolutely agree with you on this point.  I'll point out again that this
is the same problem as creating a rating scheme for the security of
*products*.

> The standard approach as I understand it is to analyze the system against
> all the known vulnerabilities and attempt to measure (maybe only
> qualitatively) the risks associated with the vulnerabilities.

It is popular these days to jump on the risk assessment bandwagon and
forget about assurance.  This occurs because people think risk assessment
is a quick fix that you can do after the system is built and configured.
Some holes cannot be patched.

--Jeff Williams  <mailto:williams@arca.com>








Thread