Tricolour Alphanumerical Spaghetti
Colin Watson, Watson Hall
Thursday, July 12th | 15:20 | Location: A1
Abstract:Do you know your “A, B, Cs†from your “1, 2, 3sâ€? Is “red†much worse than “orangeâ€, and why is “yellow†used instead of “greenâ€? Just what is a “critical†vulnerability? Is “critical†the same as “very highâ€? How do PCI DSS “level 4 and 5†security scanning vulnerabilities relate to application weaknesses? Does a “tick†mean you passed? Are you using CWE and CVSS? Is a “medium†network vulnerability as dangerous as a “medium†application vulnerability? Can CWSS help? What is FIPS PUB 199? Does risk ranking equate to prioritisation? What is “one†vulnerability? Are you drowning in a mess of unrelated classifications, terminology and abbreviations? If you are a security verifier and want to know more about ranking your findings, or receive test reports and want to better understand the results, or are just new to ranking weaknesses /vulnerabilities and want an overview, come along to this presentation. It will also explain why the unranked information-only (“grey†or “blueâ€?) findings might contain some of the best value information.