Speaker
Description
The developer community handles security defects on a regular basis and most organisations now use CVSS (the Common Vulnerability Scoring System framework) to convey vulnerability severity and impact to users of their software products. The laudable objective behind encouraging all software vendors and distributors to use the same metrics system is that enables software administrators to more easily make the right decisions on how quickly to respond to each new security report they receive. "Is this an issue that should be patched as soon as possible, or can it wait until the next scheduled maintenance window?"
What we have found however is that the majority of vulnerabilities reported against BIND nearly always score one of a small number of values regardless of their actual operational risk if instead assessed based on the popularity or obscurity of the feature involved and on the likelihood that the defect that has been uncovered would make a feasible attack.
How can we more realistically evaluate and report DNS security vulnerabilities so that the information we provide on each is genuinely useful? How can we do something better than just scoring most of our BIND Security Advisories at 7.5?
| Talk duration | 20 Minutes (+5 for Q&A) |
|---|
