Measuring vs. Modeling
暂无分享,去创建一个
Punchline: Using CVSS to steer remediation is nuts, ineffective, deeply diseconomic, and knee jerk; given the availability of data it is also passe, which we will now demonstrate.
Vulnerability data is often used to describe the vulnerabilities themselves. This is not actually interesting—it’s like using footprints to describe bear paws. Sure, a black bear has different ones from a polar bear . . . but a more interesting fact is what kind of fur they have.
[1] Pavol Zavarsky,et al. Trend Analysis of the CVE for Software Vulnerability Management , 2011, 2011 IEEE Third Int'l Conference on Privacy, Security, Risk and Trust and 2011 IEEE Third Int'l Conference on Social Computing.