background image

Tricolour Alphanumerical Spaghetti

Colin Watson, Watson Hall

Thursday, July 12th | 15:20 | Location: A1

Abstract:Do you know your “A, B, Cs” from your “1, 2, 3s”? Is “red” much worse than “orange”, and why is “yellow” used instead of “green”? Just what is a “critical” vulnerability? Is “critical” the same as “very high”? How do PCI DSS “level 4 and 5” security scanning vulnerabilities relate to application weaknesses? Does a “tick” mean you passed? Are you using CWE and CVSS? Is a “medium” network vulnerability as dangerous as a “medium” application vulnerability? Can CWSS help? What is FIPS PUB 199? Does risk ranking equate to prioritisation? What is “one” vulnerability? Are you drowning in a mess of unrelated classifications, terminology and abbreviations? If you are a security verifier and want to know more about ranking your findings, or receive test reports and want to better understand the results, or are just new to ranking weaknesses /vulnerabilities and want an overview, come along to this presentation. It will also explain why the unranked information-only (“grey” or “blue”?) findings might contain some of the best value information.