Difference between revisions of "Security/VMT-Metrics"
Robert-clark (talk | contribs) (→Reproducibility) |
Robert-clark (talk | contribs) (→Damage Potential) |
||
| Line 13: | Line 13: | ||
==== Damage Potential ==== | ==== Damage Potential ==== | ||
* If the vulnerability is exploited, how much damage will be caused? | * If the vulnerability is exploited, how much damage will be caused? | ||
| − | ** 0 = | + | ** 0 = Nothing |
| − | ** 5 = | + | ** 3 = Individual user data is compromised or affected |
| − | ** 10 = | + | ** 5 = All individual tenant data is compromised or affected |
| + | ** 7 = All tenant data is compromised or affected | ||
| + | ** 9 = Underlying cloud management and infrastructure data is compromised or affected | ||
| + | ** 10 = Complete system or data destruction | ||
==== Reproducibility ==== | ==== Reproducibility ==== | ||
Revision as of 11:11, 12 November 2014
Contents
Introduction
The OpenStack Security Group suggests that when OpenStack Security Advisories are created by the VMT use the following metrics to score the potential impact of vulnerabilities on OpenStack Deployments
As with all scoring systems this will not be universally applicable but will provide basic guidance to the severity of each vulnerability.
The OSSG has adapted the DREAD metric as a basis for OpenStack vulnerability impact assessment. We adapted each of the scoring categories to better reflect the impact of a vulnerability in a cloud context.
DREAD
DREAD scores five categories, which are summed together and divided by five, the result is a score from 0-10 where 0 indicates no impact and 10 is the worst possible outcome:
Risk = (DAMAGE + REPRODUCIBILITY + EXPLOITABILITY + AFFECTED USERS + DISCOVERABILITY) / 10
Damage Potential
- If the vulnerability is exploited, how much damage will be caused?
- 0 = Nothing
- 3 = Individual user data is compromised or affected
- 5 = All individual tenant data is compromised or affected
- 7 = All tenant data is compromised or affected
- 9 = Underlying cloud management and infrastructure data is compromised or affected
- 10 = Complete system or data destruction
Reproducibility
- How reliably can the vulnerability be exploited?
- 0 = Very hard or impossible, even for administrators. The vulnerability is unstable and statistically unlikey to be reliably exploited
- 5 = One or two steps required, tooling / scripting readily available
- 10 = Unauthenticated users can trivially and reliably exploit using only a web browser
Exploitability
- How difficult is the vulnerability to exploit?
- 0 = N/A We assert that every vulnerability is exploitable, given time and effort. All scores should be 1-10
- 1 = Even with direct knowledge of the vulnerability we do not see a viable path for exploitation
- 2 = Advanced techniques required, custom tooling. Only exploitable by authenticated users
- 5 = Exploit is available/understood, usable with only moderate skill by authenticated users
- 7 = Exploit is available/understood, usable by non-authenticated users
- 10 = Trivial - just a web browser
Note: In this context, authentication refers to OpenStack users. Users on compute nodes, interacting with virtualised applications are considered to be non-authenticated. A hypervisor breakout would be considered a non-authenticated attack.
Affected Users
- How many users will be affected?
- 0 = None
- 5 = Specific to a given project
- 10 = All users impacted
Discoverability
- How easy is it to discover the threat, to learn of the vulnerability (By convention this is set to 10 even for privately reported vulnerabilities)
- 0 = Very hard to impossible to detect even given access to source code and privilege access to running systems
- 5 = Can figure it out by guessing or by monitoring network traces
- 9 = Details of faults like this are already in the public domain and can be easily discovered using a search engine
- 10 = The information is visible in the web browser address bar or in a form
Discussion
Boopity boop
