Vulnerability Assessment

Overview

The goal of today is to practice the art of assessing the severity of a given vulnerability. Today, you will be going through several past vulnerabilities in major software products. You will need to answer two types of questions: one from the Common Vulnerability Scoring System (CVSS), and some other questions that can help developers identify vulnerabilities in the future.

In today's discussion, we will be covering a number of recent vulnerabilities in real products. As with everything in real life, these are messy and don't always fit into the logical buckets we have made. Thus, the assessment of each vulnerability is ultimately subjective. But, fortunately we can mitigate that subjectivity with multiple perspectives and lively discussion.

Setup

This activity is for 4-6 people, all at one table.

  1. Go to this GoogleDoc spreadsheet template, and make a copy of your own called "Vulnerability Assessment".
  2. Make sure everyone can edit the one sheet for your group.

Activity

  1. As a group, review the following question from the CVSS, and make sure everyone understands it:
  2. Prepare the group for a Planning Poker-style discussion. Each team member should write down their votes on the questions (see the next step). No peeking at each other's votes ahead of time, but feel free to discuss the vulnerability prior to voting for any clarifications.
  3. For each one of the given vulnerabilities below, answer only the Access Vector question. Record your conclusion in the spreadsheet (be sure to use the given dropdowns for the answers).
  4. As a group, review the following questions from the CVSS, and the two new questions:
  5. Now, once you've answered the Access Vector question for all of the vulnerabilities, go back and answer the rest of the questions as a group. This time, try to answer all of the questions for one vulnerability at a time. Keep that discussion moving - you've now got over twenty decisions to make!
  6. Finished a little early? Take a look at these:

Submission & Grading

Share your document with your instructor and course assistant. They might provide feedback, but this will not be graded.