Date: Mon, 21 Feb 2005 08:03:56 -0800 (PST) From: Jon Passki <cykyc@yahoo.com> To: freebsd-vuxml@freebsd.org Subject: Adding Additional Attributes to VuXML Message-ID: <20050221160356.61989.qmail@web50302.mail.yahoo.com>
next in thread | raw e-mail | index | archive | help
Hello All, I would like to discuss risk attributes and see if they should be included in VuXML as some new optional elements. What I would like to see are possibly two new elements added that describe the likelihood of the vulnerability and what the vulnerability produces. Neither of these elements would try to directly communicate the impact of the risk (which is site-specific), rather certain attributes that can objectively described the vulnerability. Also, this is not a taxonomy, although it may start to resemble one. It's to provide consistent information across vulnerabilities. When I think of likelihood, I think of some of the following examples: --) Configuration needed for successful exploitation (default or non-default) --) Needed Account Access (non-anonymous, anonymous, none) --) Location of Exploitation (can be performed remotely, needs to be local) When I think of the production of the vulnerability, I think of some of the following examples: --) Network information (host names, IP addresses, MAC addresses, etc.) --) Account information (account name, individual account password, credential reuse, privileged account access, etc.) --) System/Service Information (directory names, file names, configuration information, recursive resource usage, etc.) What I'm asking is if it makes sense to add these two _optional_ elements (or perhaps similar concepts). If it does, then I'd like to start a discussion on the exact content (one bikeshed at a time...). Sincerely, Jon Passki __________________________________ Do you Yahoo!? The all-new My Yahoo! - What will yours do? http://my.yahoo.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050221160356.61989.qmail>