@Johnwhite78: Good point. Using a scoring system like CVSS should never take the place of the professional expertise of the consultant, whose recommendations incorporate many more factors than what CVSS measures. I think analog vs. digital makes for a useful rough analogy here. The vision and expertise of the consultant is vastly more fine-grained than the measuring system, which only samples a handful of metrics (which are themselves sometimes awkward to apply). So CVSS is lossy. No surprise there. The question is whether we can improve and extend it to make it better represent the original material. Or here's another analogy. In baseball there has always been measurements applied to on-field events in an attempt to summarize a player's abilities, such as Runs Batted In (RBIs). But eventually there arose fierce debate about which metrics were actually the most useful. See The information security community is -- for reasons I can't comprehend -- somewhere in the very early stages of a similar debate for attack and defense metrics. Re: your scenario manipulating tokens, I may or may not agree with you. Could you say a little more about why you think CVSS is not applicable to that attack path?
Thanks! And your point about environmental scores is well taken. Pentesters can't be required or even expected to fill these in, but should be welcome to do so when they have the needed background information. On the surface the project sounds straightforward. Your clients may be thinking: "All vulnerabilities have CVEs, right? And all CVEs have CVSS scores already calculated by the fine folk behind the NVD. Just plug in the numbers!" :) As probably neither Yogi Berra nor Albert Einstein ever said: "In theory there is no difference between theory and practice. But in practice, there is." I'll cover some other differences between the theory and the practice in coming posts.
Dec 27, 2011