Skip to content

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

value of simplicity #186

Closed
j--- opened this issue May 16, 2022 · 3 comments
Closed

value of simplicity #186

j--- opened this issue May 16, 2022 · 3 comments
Assignees
@j--- @sei-vsarvepalli
Labels
demo site Demo site and production site content documentation Improvements or additions to documentation enhancement New feature or request ssvc-calc SSVC "calculator" implementation
Milestone
SSVC v2.1

Comments

@j---
Copy link
Collaborator

j--- commented May 16, 2022

As raised by @jchester in his post:

The other area where SSVC arguably falls short is that it has a simpler implied causal model than CVSS does. In the critique by Risk Based Security discussed above, it was argued that CVSS was not detailed enough. But SSVC goes from CVSS's eight variables down to just four. It might be argued that three of CVSS's variables (Confidentiality, Integrity and Availability) can be usefully compressed into the SSVC Mission & Well-Being variable. That still leaves a substantial gap in the input permutations between the two schemes.

I think it is possible that within the context of this paragraph, different stakeholders have different "causal models."
If that is the case, SSVC and CVSS are not directly comparable. I'd like to explore if this is a reasonable basis to understand the "causal model" idea, because I did not so much think of SSVC as having a causal model. And at least, insofar as it does, the "stakeholder specific" thing means I think it might have multiple.

I think this might suggest some changes to the visual display of the calculator, also. In the section of the paper that talks about relationship to other systems and CVSS specifically, we sketch how technical impact is related to the CVSS v3 impact metrics. That the post relates the CVSS impact metrics to mission impact and safety impact indicates we need to either message this better or change our minds. One way to message better would be to pull the CVSS vector string in for vuls that have one and use our suggested mapping to make a suggestion for the technical impact value.
@sei-vsarvepalli , how hard would it be to pull the CVSS vector string values for C/I/A impact and Scope if a user enters a CVE-ID into the calculator?
@j--- j--- added documentation Improvements or additions to documentation enhancement New feature or request demo site Demo site and production site content labels May 16, 2022
@j--- j--- self-assigned this May 16, 2022
@sei-vsarvepalli sei-vsarvepalli self-assigned this May 30, 2022
@sei-vsarvepalli
Copy link
Contributor

Hey @j---

I had noticed this till just now. It is very easy to pull CVSS vector strings. May be will do this once the open Bug tickets are fixed for the demo site.

Vijay

@jchester
Copy link

/CCing my dayjob alterego, @jchestershopify.

@j--- j--- mentioned this issue Jun 27, 2022
Open
@j---
Copy link
Collaborator Author

j--- commented Jun 27, 2022

@sei-vsarvepalli , let's handle the calculator engineering under #195 . This issue will be closed once the discussion of causal modes and the comparison to CVSS is handled in the PDF document / documentation.

@CERTCC CERTCC locked and limited conversation to collaborators Apr 13, 2023
@ahouseholder ahouseholder converted this issue into discussion #218 Apr 13, 2023
@ahouseholder ahouseholder added this to the SSVC v2.1 milestone Apr 13, 2023
@ahouseholder ahouseholder added the ssvc-calc SSVC "calculator" implementation label Mar 1, 2024

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

Assignees

@j--- j---

@sei-vsarvepalli sei-vsarvepalli

Labels
demo site Demo site and production site content documentation Improvements or additions to documentation enhancement New feature or request ssvc-calc SSVC "calculator" implementation
Projects
None yet
Milestone
SSVC v2.1
Development

No branches or pull requests
4 participants
@jchester @ahouseholder @j--- @sei-vsarvepalli