Software Testing and Acceptance

Question 1

Bug triage - DREAD

Answer 1

Assign 1 -10 on each parameter of DREAD to compare bugs
Risk = Impact (Damage, Affected Users)x Probability (Reproducibility, exploitability, Discoverability).

Question 2

DREAD

Answer 2

Damage: Damage needs to be assessed in terms of confidentiality, integrity, and availability.
Reproducibility: easily reproducible via say scripts..?
Exploitability: How difficult is it to use the vulnerability to affect the attack?
Affected Users: How large is the user base affected?
Discoverability: Easily detected?

Question 3

MITR CVSS metrics to assign a score to a vulnerability

Answer 3

Base Metrics:
Exploitability/Probability:
1. Attack vector
2. Attack complexity
3. elevation of privilege required?
4. User interaction
Impact:
Confidentiality, Integrity, availability

Question 4

Addition of situation/environment to the base MITRE CVSS to allow situational customization of the CVSS score, making it more meaningful for enterprises to use.

Answer 4

Temporal metric grp represents how the risk can change over time:
1. Exploit Code Maturity
2. Remediation Level
3. Report Confidence

Environmental metric grp represents characteristics of the vulnerability that may change from system to system based on defenses and system design:
Confidentiality requirement, Integrity requirement, availability requirement