Defining Risk/Severity

by {"login"=>"averagesecurityguy", "email"=>"stephen@averagesecurityguy.info", "display_name"=>"averagesecurityguy", "first_name"=>"", "last_name"=>""}

I'm going to push a few buttons with this post and I may even start a flame war, but here goes.

I don't think security auditors, security analyst, or penetration testers should define risk levels and severity ratings for a client's vulnerabilities. I think we should rely on systems like CVSS or CVSS2 instead of developing our own definitions.

A typical security company will have its own four or five tier rating system along with nifty definitions to explain why a vulnerability would be rated at that level. That system is fine until a client inevitably tries to talk you into lowering a severity rating. Then you have nothing to stand on but your opinion, which may be different from the opinion of the security company next door. If you use a standardized severity rating instead, then you stand on the collective opinion of many knowledgeable researchers.

I realize the CVSS and CVSS2 scoring system isn't perfect and mistakes are made when rating a vulnerability, but the system is better than having some average security guy make up his own standard.