More or less all parts in the IT are full of bugs. They often result in security issues.
Especially IT managers are looking for
measurements to prioritize which bug has to be fixed sooner and which
later. However, the complexity of IT is very high and the idea to map
the IT security with a simple number sounds good, especially if this
number will be calculated. In this presentation I will demonstrate what
kind of results you will get with such scoring systems. In the worst
case, the level of IT security goes down but the score will raise up.
The criticism is not only against CVSS. It will only be used as a
popular example of a security scoring system.
This controversy presentation is important for IT managers, IT security
officers and also for researchers and security bulletin providers.
The presentation is based on a long time expericene as a professional
penetration tester with found weaknesses and the resulted discussions