I was wondering if anyone had done an analysis of the published
DSAs based on;
- package priority (i.e. 'base', 'standard', etc.)
- type of security flaw (buffer overflow, logical error, integer overflow,
etc.)
- type of impact (denial of service, authentication, remote code execution,
privilege escalation, etc.)
- risk (that is, how "dangerous" is the vulnerability to common users)
I was reviewing one of IEEE's Security & Privacy magazines I have around
and read a very interesting article [1]. It concludes that it might be
possible to use a susceptibility matrix based on uncovered flaws to
determine where new flaws might be found.
Extracting this from the DSAs is non-trivial, since we don't provide
meta-data for those, and I wanted to ask if someone had done a similar
analysis before. I was also wondering if others believe it would be worth
asking the Security Team to provide some of those in the future.
Regards
Javier
[1] "Susceptibility matrix: a new aid to software auditing"
ieeexplore.ieee.org/iel5/8013/28622/01281240.pdf
and
www.cs.umd.edu/~kanta/ieee.pdf
Received on Sat Dec 18 2004 - 09:53:34 GMT