Tag: CVSS

  • Log4Shell: Redefining Painful Disclosure

    Log4Shell: Redefining Painful Disclosure

    Log4Shell is yet another example of why we simply don’t get security right, and it strongly suggests there is little hope for change. There are plenty of blogs and articles that do a great analysis of the vulnerability from the exploitation and impact angle of this vulnerability. There are a lot fewer that examine why…

  • A critique of the summary of “Latent Feature Vulnerability Rankings of CVSS Vectors”

    Update: Corren McCoy has written a wonderful response to this blog where she goes into more detail about her conclusions as well as citing more portions of the original research that led to her conclusions. As she notes, there are several layers of condensing the original research at play here, which can dilute and distort…

  • More authorities, more CVEs; Oh, and more commentary.

    On November 10, TechBeacon published a great article by Rob Lemos titled “More authorities, more CVEs: What it means for app sec teams” in which I was quoted, along with several other people. Like many articles of this nature, those who provide input often will talk for as long as half an hour and ultimately…

  • Why @anacondainc Doesn’t Fully Understand CVEs

    It’s worrisome that in 2020 we still have people in influential technical roles that don’t understand CVE. A friend told me earlier this year he was in a meeting where someone said that CVE IDs are assigned in order, so CVE-2020-9500 meant there were 9500 vulns in 2020 so far. Of course that is not…

  • The problem with SCADA goes deeper…

    [This was originally published on the OSVDB blog.] We know SCADA is virtual swiss cheese, ready to be owned if someone can reach a device. We have preached airgaps for decades, even before we knew how bad the software was. Back then it was just, “this is so critical, it has to be separate!” The…

  • Mobile Devices and Exploit Vector Absurdity

    [This was originally published on the OSVDB blog.] The last few days has seen several vulnerabilities disclosed that include serious gaps in logic with regard to exploitation vectors. What is being called “remote” is not. What is being called “critical” is not. Here are a few examples to highlight the problem. We beg of you,…

  • CVSSv2 Shortcomings, Faults, and Failures Formulation

    [This was originally published on the OSVDB blog.] The Open Security Foundation (OSF) and Risk Based Security wrote an open letter to FIRST regarding the upcoming Common Vulnerability Scoring System (CVSS) version 3 proposal. While we were not formally asked to provide input, given the expertise of managing vulnerability databases, along with the daily use…

  • Advisories != Vulnerabilities, and How It Affects Statistics

    [This was originally published on the OSVDB blog.] I’ve written about the various problems with generating vulnerability statistics in the past. There are countless factors that contribute to, or skew vulnerability stats. This is an ongoing problem for many reasons. First, important numbers are thrown around in the media and taken as gospel, creating varying…

  • OSVDB – Search Filters & Custom Exports

    [This was originally published on the OSVDB blog.] Last week, OSVDB enhanced the search results capability by adding a considerable amount of filter capability, a simple “results by year” graph and export capability. Rather than draft a huge walkthrough, open a search in a new tab and title search for “microsoft windows”. As always, the…

  • OSVDB – Search Enhance: by CVSS Score or Attribute

    [This was originally published on the OSVDB blog.] Using the ‘Advanced Search‘, you can now search the database by entering a CVSSv2 score range (e.g., 8 to 10) or by a specific CVSSv2 attribute (e.g., Confidentiality : Partial). To search for entries with only a 10 score, use the search range 10 to 10. Using…