Quoting Javier Fernández-Sanguino Peña <jfs@xxxxxxxxxx>:
> > I don't agree with Secunia's methods of calculating risk at all.
> Why so? Where are they described?
They are described here: http://secunia.com/about_secunia_advisories/ .
1) They try to make it sound like all issues of one type are equally severe,
when the reality is much more complicated.
2) They assume that all systems have competent administrators. They say that
certain issues are not a big problem, because some types of servers like
database servers should be behind firewalls, when all evidence suggests that
lots of people have none or misconfigured firewalls.
3) They give too low ratings (local buffer overflow getting gid games = Not
critical, all Cross-site Scripting bugs = Less critical).
4) They don't consider the whole picture. I think my LHa advisory from half a
year ago got rated as Moderately critical, because they thought you have to
download .lha archives from somewhere and then unpack them. In reality, LHa is
commonly used by antivirus programs on untrusted data coming in from the
network, meaning that it's a remote attack.
In short, Secunia has an ambitious website doing a valuable service, but their
calculation of how critical bugs are strikes me as really wrong (and it's not
just about my vulnerabilities, I often shake my head when I see how they rate
other people's stuff as well).
Today's little Secunia rant there ;)
Your ideas for analyzing this type of data sound like excellent ways of making
things more scientific and thorough. Interesting!
--
Ulf Harnhammar
http://www.advogato.org/person/metaur/
|
