Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Nessus-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Nessus Risk Rating Discussion Part Trois - CVSS

from [Renaud Deraison] Network Security [Permanent Link]
Subject: Re: Nessus Risk Rating Discussion Part Trois - CVSS
Date: Tue, 22 Feb 2005 09:58:53 -0500 
On Tue, Feb 22, 2005 at 09:37:27AM -0000, Yeomans, Andrew wrote:

Hi,


There's been an interesting announcement at the RSA Conference for CVSS, the
Common Vulnerability Scoring System.

[..]

This might put pressure on Nessus to conform, at least when (if?) CVSS turns
from a press announcement to something real. 


Changing the "risk factor" to something both more useful and more
professional and definitely on the roadmap - wether we use 'CVSS', or
any other scoring system.

On the Nessus side, it requires a lot of work, and good expertise from
the persons who will do the classification. Also, it's a bit of a
daunting task, as you do not want to have a period during which 30% of
the scripts use a given scoring system whereas the other 70% use another
one. That means that at some point, we will have to tackle this issue
and tackle it for good.

I really hope that it will be done in Nessus 3. I've been working on the
proper tools to manage that (because at this point, you definitely don't
want to edit every script manually - you want some kind of GUI to add
ratings to existing scripts) and backend-wise, I'm 80% there. Once the
backend is finished, cross references and better risk rating will be a
breeze to keep track of.

Regarding the rating system itself, CVSS is definitely a step in the
right direction, however at this point it's more a cloud of smoke than a
real draft, so I'd like to give it some time and see what happens.


                                -- Renaud
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: nikto plugin, Discini, Sonny
Next by Date:  Re: find_service.nes hanging on 2.2.3 linux, Jared Breland
Previous by Thread:  Nessus Risk Rating Discussion Part Trois - CVSS, Yeomans, Andrew
Next by Thread:  Plugin Update Problems, Jones, David H
Indexes:  [Date] [Thread] [Top] [All Lists]