tag:blogger.com,1999:blog-4088979.post116363882022021150..comments2023-10-16T06:06:25.012-04:00Comments on TaoSecurity Blog: Comments on SANS Top 20Richard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.comBlogger10125tag:blogger.com,1999:blog-4088979.post-1163790906147878342006-11-17T14:15:00.000-05:002006-11-17T14:15:00.000-05:00In a new security world of threat-modeling and sec...In a new security world of threat-modeling and securitymetrics.org it's sad to see organizations such as SANS survive.<BR/><BR/>To support that claim, maybe I should mention CVSS (the Common Vulnerability Scoring System) being used by NIST (aka the US government's standards body) for their National Vulnerability Database (NVD). CVSS was drawn-up by the NIAC Vulnerability Disclosure Working Group. The NIAC VDWG is made up of all the leading experts for CERT, Cisco, eBay, ISS, Microsoft, Qualys, and Symantec.<BR/><BR/>Oh yeah, and Tenable (the company behind the most popular security scanner, Nessus) today announced a partnership with NIST NVD to use CVSS in all of their products (both Nessus and their Passive Vulnerabiility Scanner) and provide feedback on vulnerabilities.<BR/><BR/>What's funny is that CVSS isn't as complete as the threat-models that STRIDE/DREAD (see the Microsoft Press book, <A HREF="http://www.amazon.com/Threat-Modeling-Microsoft-Professional-Swiderski/dp/0735619913" REL="nofollow">Threat-Modeling</A>) and Trike (presented at Toorcon'05) provide.<BR/><BR/>According to a <A HREF="http://jeremiahgrossman.blogspot.com/2006/11/web-application-security-professionals.html" REL="nofollow">recent survey</A> at Jeremiah Grossman's (WhiteHat Sec) blog, DREAD is more popular than both CVSS and Trike for web application security professionals.<BR/><BR/>CVSS is likely to become the dominant standard for vulnerability measurement with regards to public disclosure, while <A HREF="http://dymaxion.org/trike" REL="nofollow"/> is likely to revolutionize the private disclosure industry if used properly and often.<BR/><BR/>Speaking of the NVD, there is a tool called <A HREF="https://cassandra.cerias.purdue.edu" REL="nofollow"/> provided by Purdue University that allows you to create profiles of vendors/products/keywords that daily (2x) update you via email on new vulnerabilities that match your criteria in both the NVD and Secunia vulnerability databases.<BR/><BR/>It's also my "opinion" to use the OSVDB project to query for vulnerabilities, as it's the most complete implementation I've seen. Reading their daily RSS should be avoided, as OSVDB wants to document every vulnerability, including ones in the past... so you could see PDP-11 exploits and assume it's current. However, reading their blog is recommended.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1163785568195267842006-11-17T12:46:00.000-05:002006-11-17T12:46:00.000-05:00I was tasked with writing about Opera and Firefox ...I was tasked with writing about Opera and Firefox for SANS Top Twenty. They decided not to use it.<BR/><BR/>Edward RayAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1163781494374932972006-11-17T11:38:00.000-05:002006-11-17T11:38:00.000-05:00Anonymous,I think the original top 10 list was mor...Anonymous,<BR/><BR/>I think the original top 10 list was <I>more or less</I> actionable. The current list is not actionable. So my DNS servers are attack targets. And...? Not much you can do about that.Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1163773978080307882006-11-17T09:32:00.000-05:002006-11-17T09:32:00.000-05:00All your base are belong to us.All your base are belong to us.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1163773003037696312006-11-17T09:16:00.000-05:002006-11-17T09:16:00.000-05:00Rich,Do you think the list was more helpful when i...Rich,<BR/>Do you think the list was more helpful when it was organized as the top 10 vulnerabilities?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1163770464199070452006-11-17T08:34:00.000-05:002006-11-17T08:34:00.000-05:00"I would expect most security practitioners to und...<B>"I would expect most security practitioners to understand or at least recognize everything on the list."</B><BR/>But isn't the point of the Top20 to be a consolidated list, designed mainly for the non-security practitioner? Perhaps it was originally, but as security has gotten to be a specialty and formal profession, the resources are widely known to those people; rather, having worked on the project, I believed it to be focused on issues that normal non-security IT people could use as a quick guide.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1163763325302477362006-11-17T06:35:00.000-05:002006-11-17T06:35:00.000-05:00It seems you've made some kind of a routine to say...It seems you've made some kind of a routine to say a word about SANS TOP-20, Mr. Bejtlich.:<BR/><BR/><A HREF="http://taosecurity.blogspot.com/2005/11/good-and-bad-about-new-sans-top-20.html" REL="nofollow">Richard's post for TOP-20 2005.</A><BR/><BR/>And my opinion, which I posted there, it's still valid here.<BR/><BR/>Sincerely,Arturo 'Buanzo' Busleimanhttps://www.blogger.com/profile/04051926398190636592noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1163708240731698582006-11-16T15:17:00.000-05:002006-11-16T15:17:00.000-05:00I suppose it is good of you to cough about the ide...I suppose it is good of you to cough about the idea that you are a security expert.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1163690484205925132006-11-16T10:21:00.000-05:002006-11-16T10:21:00.000-05:00I think there will be all amounts of contention wi...I think there will be all amounts of contention with any list that tries to distill something as large as what it does. Besides, I'm sure they get hell everytime they mention an actual product like IE and not Opera/Firefox. And I can only guess at the pushback management gives to operations everytime they throw this list out. "Are we secure on all this?" "Uhh, you're not using this list properly..." Or perhaps trying to measure all of this is getting too difficult, or there are less worms and viruses making this a bit less dramatic? I dunno...<BR/><BR/>I think this document just has a problem with its identity. Does it list actual distinct vulns like they did in the first one, or do they increasingly group things into buckets like "web applications" (cop out!) or instead change all of it and list targets? Do they do already-broken targets or theoretical ones? This latest one has a feeling that some of this is a prediction. Including Mac OS X is a huge disappointment. Yse, it might be an increasingly enticing target, but it is not a problem right now or in the past year. VoIP Phones/Servers had no place in this, especially when you see the glaring holes of wireless insecurities and/or insecurity of data at rest on laptops (theft). <BR/><BR/>I expect next year they have such a watered down and general top 20 that it is like, 1. Windows, 2. Unix, 3. Anything dealing with the web. And so on...<BR/><BR/>I really disliked #19 Users (phishing / spear phishing) and #20 Zero-Day Attacks and Prevention Strategies. Users should have just been replaced with either social engineering or phishing.<BR/><BR/>I really liked the new groupings. I think in the past couple iterations they have really struggled to match 10 Windows and 10 Unix items. Last year 85% of the content was on the 10 Windows vulns, and the Unix ones got very little space. Maybe that's because those Unix ones have been written about almost every year, and maybe it is just getting old. :)<BR/><BR/>But again, with any list like this, there will be problems and disagreements, which means the identity and purpose of this needs to be very clear.Unknownhttps://www.blogger.com/profile/15357840241031190415noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1163643688309094472006-11-15T21:21:00.000-05:002006-11-15T21:21:00.000-05:00sighThat was useless, I see why you distanced your...<I>sigh</I><BR/><BR/>That was useless, I see why you distanced yourself from it. Nothing actionable there, not even well written since there were so many weasel words.Anonymousnoreply@blogger.com