Difference between revisions of "Security/VMT-Metrics"
Robert-clark (talk | contribs) (→Introduction) |
Robert-clark (talk | contribs) (→Introduction) |
||
Line 4: | Line 4: | ||
As with all scoring systems this will not be universally applicable but will provide basic guidance to the severity of each vulnerability. | As with all scoring systems this will not be universally applicable but will provide basic guidance to the severity of each vulnerability. | ||
− | The OSSG has adapted the | + | The OSSG has adapted the [https://www.owasp.org/index.php/Threat_Risk_Modeling DREAD] metric as a basis for OpenStack vulnerability impact assessment. We adapted each of the scoring categories to better reflect the impact of a vulnerability in a cloud context. |
== DREAD == | == DREAD == |
Revision as of 09:42, 12 November 2014
Introduction
The OpenStack Security Group suggests that when OpenStack Security Advisories are created by the VMT use the following metrics to score the potential impact of vulnerabilities on OpenStack Deployments
As with all scoring systems this will not be universally applicable but will provide basic guidance to the severity of each vulnerability.
The OSSG has adapted the DREAD metric as a basis for OpenStack vulnerability impact assessment. We adapted each of the scoring categories to better reflect the impact of a vulnerability in a cloud context.
DREAD
DREAD scores five categories, which are summed together and divided by five, the result is a score from 0-5 where 0 indicates no impact and 5 is the worst possible outcome:
Risk = (DAMAGE + REPRODUCIBILITY + EXPLOITABILITY + AFFECTED USERS + DISCOVERABILITY) / 5