Hello All,
I would like to discuss risk attributes and see if they should be
included in VuXML as some new optional elements. What I would like
to see are possibly two new elements added that describe the
likelihood of the vulnerability and what the vulnerability
produces. Neither of these elements would try to directly
communicate the impact of the risk (which is site-specific), rather
certain attributes that can objectively described the
vulnerability. Also, this is not a taxonomy, although it may start
to resemble one. It's to provide consistent information across
vulnerabilities.
When I think of likelihood, I think of some of the following
examples:
--) Configuration needed for successful exploitation (default or
non-default)
--) Needed Account Access (non-anonymous, anonymous, none)
--) Location of Exploitation (can be performed remotely, needs to
be local)
When I think of the production of the vulnerability, I think of
some of the following examples:
--) Network information (host names, IP addresses, MAC addresses,
etc.)
--) Account information (account name, individual account password,
credential reuse, privileged account access, etc.)
--) System/Service Information (directory names, file names,
configuration information, recursive resource usage, etc.)
What I'm asking is if it makes sense to add these two _optional_
elements (or perhaps similar concepts). If it does, then I'd like
to start a discussion on the exact content (one bikeshed at a
time...).
Sincerely,
Jon Passki
__________________________________
Do you Yahoo!?
The all-new My Yahoo! - What will yours do?
http://my.yahoo.com