[image: image.png]
Bistahieversor or MS08-067?
If you had to list out the problems with CVSS it would be like analyzing
the anatomical issues of a children's drawing. No part of it fits together
properly. Here's a problem: Scoring of threats is not one dimensional, and
numbers can't carry the whole story. We need a vulnerability scoring system
that's extensible, and programable.
But I have an alternative: Take each vulnerability attribute and assign it
to a dinosaur part! Is it a client-side? Then it's got legs! Does it need
user interaction? Then short stumpy legs. Is it a true remote against a
service? Then it's got wings. Is it a root bug? Then it has a big mouth?
User-level access? Duckbill.
That way, the attributes of the vulnerability reflect themselves as a
literal model - a denizen of your Cretatous nightmares. But it rings true -
getting attacked by five hundred pre-auth XSS bugs in your web front-end is
exactly like getting attacked by a horde of ducks. And of course,
vulnerabilities can combine - a LPE + a remote user-level XSS + sandbox
escape has legs and teeth.
Modeling is better than scoring in every way. Maybe your network is a
Animantarx <https://en.wikipedia.org/wiki/Animantarx>, a living citadel,
but more likely you're a Diplodocus, a big bag of walking meat getting
nibbled to death by ducks.
-dave
Show replies by date