diff --git a/.github/workflows/lint_md_changes.yml b/.github/workflows/lint_md_changes.yml new file mode 100644 index 00000000..d5aa5b78 --- /dev/null +++ b/.github/workflows/lint_md_changes.yml @@ -0,0 +1,30 @@ +name: "Lint Markdown (Changes)" +on: + push: + paths: + - '**/*.md' + - .github/workflows/lint_md_changes.yml + pull_request: + paths: + - '**/*.md' + - .github/workflows/lint_md_changes.yml + +jobs: + lint: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + - uses: tj-actions/changed-files@v44 + id: changed-files + with: + files: '**/*.md' + separator: "," + - uses: DavidAnson/markdownlint-cli2-action@v16 + if: steps.changed-files.outputs.any_changed == 'true' + with: + globs: ${{ steps.changed-files.outputs.all_changed_files }} + separator: "," + config: .markdownlint.yml + diff --git a/.gitignore b/.gitignore index 6189a8e6..c575e379 100644 --- a/.gitignore +++ b/.gitignore @@ -129,3 +129,4 @@ dmypy.json .pyre/ ssvc2-applier-wip.xlsx _version.py +node_modules diff --git a/.markdownlint.yml b/.markdownlint.yml new file mode 100644 index 00000000..3c95d570 --- /dev/null +++ b/.markdownlint.yml @@ -0,0 +1,29 @@ +default: true +# disable noisy rules +# 0004 Unordered List style +# Force dash style for unordered lists +MD004: + style: "dash" +# 013 Line length +# Disabled because we have a lot of long lines. We should fix this eventually. +MD013: false +# 033 Inline HTML +# Disabled because we use inline HTML (
in table cells for example) +MD033: false +# MD040/fenced-code-language : Fenced code blocks should have a language specified : https://github.com/DavidAnson/markdownlint/blob/v0.37.4/doc/md040.md +MD040: false +# 041 First line in file should be a top level header +# Disabled because we use `include-markdown` plugin for merging markdown files +MD041: false +# 046 Code block style +# Disabled because mkdocs-material uses indented blocks for admonitions +MD046: false +# 049 emphasis style +# Force asterisk style for emphasis +MD049: + style: "asterisk" +# 050 strong style +# Force asterisk style for strong +MD050: + style: "asterisk" + diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index d3e01067..e2d15805 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -1,7 +1,7 @@ # How to contribute Thanks for your help on improving our stakeholder-specific vulnerability categorization work. -To account for different stakeholder perspectives, we benefit from a diverse group of contributors. +To account for different stakeholder perspectives, we benefit from a diverse group of contributors. Please see our project documentation in the [wiki](https://github.com/CERTCC/SSVC/wiki) that accompanies this repository for more information on how you can contribute to the project. @@ -9,9 +9,8 @@ for more information on how you can contribute to the project. ## Licenses See [LICENSE](https://github.com/CERTCC/SSVC/blob/main/LICENSE) - + ## Questions If you have any questions, an [issue](https://github.com/CERTCC/SSVC/issues) or [discussion](https://github.com/CERTCC/SSVC/discussions) is the best way to get in touch with us. - diff --git a/README.md b/README.md index ae0a2910..319c0a0f 100644 --- a/README.md +++ b/README.md @@ -10,7 +10,7 @@ SSVC aims to avoid one-size-fits-all solutions in favor of a modular decision-ma SSVC is mostly conceptual tools for vulnerability management. These conceptual tools (how to make decisions, what should go into a decision, how to document and communicate decisions clearly, etc.) are described here. -**Note:** This repository contains the _content_ for the main SSVC documentation hosted at +**Note:** This repository contains the *content* for the main SSVC documentation hosted at ## [https://certcc.github.io/SSVC/](https://certcc.github.io/SSVC/) @@ -19,7 +19,6 @@ These conceptual tools (how to make decisions, what should go into a decision, h --- - # What's here Here's a quick overview of the main directories and files in this repository. @@ -34,7 +33,7 @@ See [`project_docs/README.md`](project_docs/README.md) for more info. Directory with SSVC calculator using D3 graph. See [`ssvc-calc/README.md`](docs/ssvc-calc/README.md) for more info. -A demo version of `ssvc-calc` can be found at https://certcc.github.io/SSVC/ssvc-calc/ +A demo version of `ssvc-calc` can be found at ## `/pdfs/*` @@ -82,7 +81,6 @@ The two methods just loop through their respective lookup tables until they hit a match, then return the outcome. Maybe not the best implementation, but it worked well enough for what was needed at the time. - ## Local development Install prerequisites: @@ -97,11 +95,11 @@ Start a local server: mkdocs serve ``` -Navigate to http://localhost:8001/ to see the site. +Navigate to to see the site. (Hint: You can use the `--dev-addr` argument with mkdocs to change the port, e.g. `mkdocs serve --dev-addr localhost:8000`) -## Run tests +## Run tests We include a few tests for the `ssvc` module. @@ -121,9 +119,6 @@ pip install pytest # if you haven't already pytest # should find tests in src/test/* ``` - - - ## Contributing - [SSVC Community Engagement](https://certcc.github.io/SSVC/about/contributing/) has more detail on how to contribute to the project. @@ -147,5 +142,5 @@ To reference SSVC in an academic publication, please refer to the version presen ## References -1. Spring, J., Hatleback, E., Householder, A., Manion, A., and Shick, D. "Prioritizing Vulnerability Response: A Stakeholder-Specific Vulnerability Categorization." White Paper, Software Engineering Institute, Carnegie Mellon University (2019). https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=636379 -2. Spring, J., Hatleback, E., Householder, A., Manion, A., and Shick, D. "Towards Improving CVSS." White Paper, Software Engineering Institute, Carnegie Mellon University (2018). https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=538368 +1. Spring, J., Hatleback, E., Householder, A., Manion, A., and Shick, D. "Prioritizing Vulnerability Response: A Stakeholder-Specific Vulnerability Categorization." White Paper, Software Engineering Institute, Carnegie Mellon University (2019). +2. Spring, J., Hatleback, E., Householder, A., Manion, A., and Shick, D. "Towards Improving CVSS." White Paper, Software Engineering Institute, Carnegie Mellon University (2018). diff --git a/data/schema/README.MD b/data/schema/README.MD index 75c80654..6f90e8bc 100644 --- a/data/schema/README.MD +++ b/data/schema/README.MD @@ -1,10 +1,6 @@ -# SSVC decision tree schemas +# SSVC decision tree schemas -Two JSON schema files are embedded here that provide schema information for +Two JSON schema files are embedded here that provide schema information for 1. Full Decision tree schema for represeting an SSVC decision tree for a Role 2. Computed SSVC score schema of a vulnerability at a point of time, optionally includes the tree used in making the decision. - - - - diff --git a/data/schema_examples/archive/index.md b/data/schema_examples/archive/index.md index 386fd140..71f652a2 100644 --- a/data/schema_examples/archive/index.md +++ b/data/schema_examples/archive/index.md @@ -1,8 +1,3 @@ # Sample JSON files (Archived) - -There are a few examples of the old schema validated JSON files here, please follow the latest schema in [Decision_Point_Value_Selection.schema.json ](../../schema/current/Decision_Point_Value_Selection.schema.json) - - - - +There are a few examples of the old schema validated JSON files here, please follow the latest schema in [Decision_Point_Value_Selection.schema.json](../../schema/current/Decision_Point_Value_Selection.schema.json) diff --git a/data/schema_examples/index.md b/data/schema_examples/index.md index 4c4db38c..b405110a 100644 --- a/data/schema_examples/index.md +++ b/data/schema_examples/index.md @@ -1,10 +1,5 @@ # Sample JSON files - There is a sample JSON file that provides an example of a hypothetical CVE [CVE-1900-1234](CVE-1900-1234-Decision_Point_Value_Selection.json) that adheres to the [JSON schema](../schema/) The old JSON files are in the [archive](./archive/) folder - - - - diff --git a/docs/_includes/helping_out.md b/docs/_includes/helping_out.md index e869620b..f088bbe1 100644 --- a/docs/_includes/helping_out.md +++ b/docs/_includes/helping_out.md @@ -4,53 +4,52 @@ We welcome your feedback and contributions to SSVC. Here are some ways you can g
-- :material-message-question: _Ask a question_ +- :material-message-question: *Ask a question* --- - If you have a specific question for the SSVC team, please feel free to + If you have a specific question for the SSVC team, please feel free to [Ask a Question](https://github.com/CERTCC/SSVC/issues/new?template=question.md). - + Questions of more general interest to the community of SSVC users might fit better in the [Q&A](https://github.com/CERTCC/SSVC/discussions/categories/q-a) section of the [Discussion](https://github.com/CERTCC/SSVC/discussions) area. -- :fontawesome-solid-bug: _Report a problem_ +- :fontawesome-solid-bug: *Report a problem* --- If you find a problem with the SSVC documentation, the methodology, or accompanying code, we welcome your [Bug Reports](https://github.com/CERTCC/SSVC/issues/new?template=bug_report.md) - -- :material-lightbulb-on: _Suggest an improvement_ + +- :material-lightbulb-on: *Suggest an improvement* --- Got an idea for how to make SSVC better? We'd love to hear it! Please submit your [Feature Requests](https://github.com/CERTCC/SSVC/issues/new?template=feature_request.md) - -- :fontawesome-regular-comments: _Join the conversation_ + +- :fontawesome-regular-comments: *Join the conversation* --- More in-depth conversations that might not be actionable as issues are found in the [Discussions](https://github.com/CERTCC/SSVC/discussions) area. -- :material-binoculars: _See what we're working on_ +- :material-binoculars: *See what we're working on* --- We manage the SSVC development effort via Github [Issues](https://github.com/CERTCC/SSVC/issues) and - [Pull Requests](https://github.com/CERTCC/SSVC/pulls). + [Pull Requests](https://github.com/CERTCC/SSVC/pulls). Drop by and see what we're working on, or leave a comment to let us know what you're interested in. -- :material-hub: _Get more involved_ +- :material-hub: *Get more involved* --- Want more information about engaging as a collaborator? Check out the [SSVC Project Wiki](https://github.com/CERTCC/SSVC/wiki) - -
+ !!! tip "Footer Icons" @@ -60,4 +59,3 @@ We welcome your feedback and contributions to SSVC. Here are some ways you can g If you are new to contributing to open source projects on Github, we've assembled some pointers to help you get started in the [Github Tips for SSVC contributors](https://github.com/CERTCC/SSVC/wiki/Github-Tips-for-SSVC-contributors) - diff --git a/docs/about/acknowledgements.md b/docs/about/acknowledgements.md index b2176f46..174ef80c 100644 --- a/docs/about/acknowledgements.md +++ b/docs/about/acknowledgements.md @@ -5,8 +5,8 @@ of this report: Art Manion, Madison Oliver, and Deana Shick. The authors thank the [contributors](https://github.com/CERTCC/SSVC/graphs/contributors) to the [SSVC project](https://github.com/CERTCC/SSVC) on Github as well as the following individuals for helpful comments on -prior drafts (listed in alphabetical order): -Muhammad Akbar, +prior drafts (listed in alphabetical order): +Muhammad Akbar, Will Dormann, Manish Gaur, Ralph Langer, @@ -23,4 +23,3 @@ Anonymous WEIS reviewers; Various staff members and analysts at CERT/CC, CISA, McAfee, and VMWare; FIRST CVSS SIG and EPSS SIG members; and others who wish to remain anonymous. - diff --git a/docs/about/changelog.md b/docs/about/changelog.md index aee45fe4..cb31527b 100644 --- a/docs/about/changelog.md +++ b/docs/about/changelog.md @@ -9,29 +9,29 @@ In the 2024.3 release of the Stakeholder-Specific Vulnerability Classification ( This release debuts the [certcc.github.io/SSVC](https://certcc.github.io/SSVC) web site to serve as the front-door for all things SSVC. - **Diátaxis Framework** - We adopted the [Diátaxis Framework](https://diataxis.fr/) as a document organization framework for SSVC documentation. High level content categories are: tutorials, how-to, topics, and reference. What used to be a linear paper format is now sectioned off into more digestible pieces. -- **More call-outs and examples** - With our adoption of [_Material for MkDocs_](https://squidfunk.github.io/mkdocs-material/) as the underlying toolkit to construct our web site, we were able to better highlight examples, tips, and sidebar topics through the use of call-out boxes throughout the site. +- **More call-outs and examples** - With our adoption of [*Material for MkDocs*](https://squidfunk.github.io/mkdocs-material/) as the underlying toolkit to construct our web site, we were able to better highlight examples, tips, and sidebar topics through the use of call-out boxes throughout the site. -## New and Revised Content +## New and Revised Content - **Expanded Content** - We've included more examples of Decision Points and the like directly inline where they're mentioned so readers don't need to keep flipping back and forth to their definitions for reference. -- **Bootstrapping advice** - Added a _Getting Started with SSVC_ process to help organizations go from being _potential_ SSVC users to being _actual_ SSVC users. This process is based on both our own experience helping organizations adopt SSVC as well as a few field reports of SSVC adoption from the community. -- **Putting the Pieces Together** - _Added a Putting the Pieces Together_ page explaining some of our philosophy regarding how to use SSVC to model decisions. SSVC provides you with the pieces and some instructions on how to assemble them, but you can customize it however you like. -- **Acuity Ramp** - Added an _Acuity Ramp_ explainer to show how an organization can grow into a decision model over time. +- **Bootstrapping advice** - Added a *Getting Started with SSVC* process to help organizations go from being *potential* SSVC users to being *actual* SSVC users. This process is based on both our own experience helping organizations adopt SSVC as well as a few field reports of SSVC adoption from the community. +- **Putting the Pieces Together** - *Added a Putting the Pieces Together* page explaining some of our philosophy regarding how to use SSVC to model decisions. SSVC provides you with the pieces and some instructions on how to assemble them, but you can customize it however you like. +- **Acuity Ramp** - Added an *Acuity Ramp* explainer to show how an organization can grow into a decision model over time. - **Community Engagement** - Included in the new web site are a number of suggested ways for the community to interact with and contribute to the SSVC. ## Versioned Objects -- **Semantic Versioning for Decision Points and Decision Point Groups** - Introduced Semantic Versioning (SemVer) for _Decision Points_ and _Decision Point Groups_ to improve communication around decision points and decision models -- **Calendar Versioning for SSVC as a whole** - With the introduction of SemVer for _Decision Points_ and _Decision Point Groups_, it started to make less sense for us to talk in terms of "SSVC v2.2", especially as we were simultaneously moving away from a PDF document-focused development model towards a more flexible web-based documentation model. Beginning with this version, we anticipate that future tagged releases will use Calendar Versioning (CalVer) instead of SemVer. +- **Semantic Versioning for Decision Points and Decision Point Groups** - Introduced Semantic Versioning (SemVer) for *Decision Points* and *Decision Point Groups* to improve communication around decision points and decision models +- **Calendar Versioning for SSVC as a whole** - With the introduction of SemVer for *Decision Points* and *Decision Point Groups*, it started to make less sense for us to talk in terms of "SSVC v2.2", especially as we were simultaneously moving away from a PDF document-focused development model towards a more flexible web-based documentation model. Beginning with this version, we anticipate that future tagged releases will use Calendar Versioning (CalVer) instead of SemVer. ## Experimental & Emerging Features There are a few improvements we've begun but have not yet fully finished, and that are largely undocumented. Most of these in the current release are python-centric. Here's a brief overview for those who want to poke around at code. -- **SSVC Python module** - This release introduces the `ssvc` python module to allow us to more easily work with _Decision Points_, _Decision Point Groups_, _Outcomes_, and _Policies_ that map from _Decision Points_ to _Outcomes_. We expect to have more to say about this module in the future, but for now it's geared towards helping us produce the site documentation. -- **Policy Generator** - We're prototyping a Python tool that can generate a starting policy given any combination of a _Decision Point Group_ and _Outcomes_. It's not ready for prime-time yet, but folks with a bit of python skill might be in a position to try it out. +- **SSVC Python module** - This release introduces the `ssvc` python module to allow us to more easily work with *Decision Points*, *Decision Point Groups*, *Outcomes*, and *Policies* that map from *Decision Points* to *Outcomes*. We expect to have more to say about this module in the future, but for now it's geared towards helping us produce the site documentation. +- **Policy Generator** - We're prototyping a Python tool that can generate a starting policy given any combination of a *Decision Point Group* and *Outcomes*. It's not ready for prime-time yet, but folks with a bit of python skill might be in a position to try it out. - **More Decision Points and Outcomes** - In the process of exercising our Semantic Versioning rules for decision points and groups, we needed some examples of versioning events for discussion purposes. As a result, the `ssvc.decision_points.cvss` and `ssvc.dp_groups.cvss` modules contain python implementations of CVSS vector elements from CVSS v1, v2, v3, v3.1, and v4. We anticipate some of these coming in handy in the future as we look toward modeling other decisions potentially based on CVSS vector elements as well as other decision points from SSVC and elsewhere. We also included decision points and groups from [CISA's customized SSVC implementation](https://www.cisa.gov/stakeholder-specific-vulnerability-categorization-ssvc). - + ## Other project infrastructure improvements - Shifted from PDF-oriented to web-oriented workflow @@ -55,8 +55,8 @@ The details of what changes were made can be viewed on the SSVC Github under the - Improved consistency of *Public Safety Impact* usage throughout the document and tooling - Improved consistency of *Human Impact* usage throughout the document - Clarified that known default passwords are an example of *Exploitation*:PoC -- Clarified that unreachable code (as in unused library features) are _System Exposure_:small -- Mention DoD MEF definition in _Mission Impact_ +- Clarified that unreachable code (as in unused library features) are *System Exposure*:small +- Mention DoD MEF definition in *Mission Impact* - Updated references to EPSS to reflect recent publications - Refactored markdown files to better track chapter and section numbering, improving findability when editing - Automated HTML and PDF generation into a Github Workflow @@ -64,7 +64,6 @@ The details of what changes were made can be viewed on the SSVC Github under the - Consolidated the SSVC document style guide into a single file in the repository - Miscellaneous typo fixes and readability improvements (e.g., headings, bulleted lists) - ## Version 2 (2021.5) Changelog This section summarizes the changes between SSVC version 2 and SSVC version 1.1 as published at the Workshop on the Ecnomics of Information Security (WEIS 2020). @@ -113,7 +112,6 @@ Either situation is sufficient to increase the priority, and there do not appear On the other hand, a low *Utility* or *System Exposure* may mitigate a high mission or well-being impact. So the Version 2 recommended tree is more usable than the Version 1 tree, thanks to these changes. - ### Tree management and communication tools The section Tree Construction and Customization Guidance is largely new or revised. @@ -127,4 +125,4 @@ Version 2 also addresses several other questions about SSVC information manageme ## Version 1.0 (2019.12) Changelog -Initial release \ No newline at end of file +Initial release diff --git a/docs/about/contact_us.md b/docs/about/contact_us.md index 3e740193..795237f4 100644 --- a/docs/about/contact_us.md +++ b/docs/about/contact_us.md @@ -7,4 +7,4 @@ Software Engineering Institute **Web**: [www.sei.cmu.edu](http://www.sei.cmu.edu) **Email**: [info@sei.cmu.edu](mailto:info@sei.cmu.edu) -{% include-markdown "../_includes/helping_out.md" heading-offset=1 %} \ No newline at end of file +{% include-markdown "../_includes/helping_out.md" heading-offset=1 %} diff --git a/docs/about/contributing.md b/docs/about/contributing.md index fdd0519e..1077a4b3 100644 --- a/docs/about/contributing.md +++ b/docs/about/contributing.md @@ -1,3 +1,3 @@ {% include-markdown "../_includes/helping_out.md" %} -{% include-markdown "../../CONTRIBUTING.md" %} \ No newline at end of file +{% include-markdown "../../CONTRIBUTING.md" %} diff --git a/docs/about/copyright.md b/docs/about/copyright.md index 59abb77e..5637a336 100644 --- a/docs/about/copyright.md +++ b/docs/about/copyright.md @@ -15,7 +15,7 @@ NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE Internal use:\* Permission to reproduce this material and to prepare derivative works from this material for internal use is granted, provided the copyright and “No Warranty” statements are included with all reproductions and derivative works. -External use:\* This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other external and/or commercial use. Requests for permission should be directed to the Software Engineering Institute at permission@sei.cmu.edu. +External use:\* This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other external and/or commercial use. Requests for permission should be directed to the Software Engineering Institute at . \* These restrictions do not apply to U.S. government entities. diff --git a/docs/about/index.md b/docs/about/index.md index 74f4fc02..8f18dbd3 100644 --- a/docs/about/index.md +++ b/docs/about/index.md @@ -6,11 +6,10 @@ The evaluation process we developed in version 1 remains an important part of co We invite [participation](contributing.md) and further refinement of the prioritization mechanism from the community as well, such as by [posting an issue](https://github.com/CERTCC/SSVC/issues). We endeavored to be transparent about our process and provide justification for design decisions. -We invite questions, comments, and further community refinement in moving forward with a transparent and justified -vulnerability prioritization methodology that is inclusive for the various stakeholders and industries that develop +We invite questions, comments, and further community refinement in moving forward with a transparent and justified +vulnerability prioritization methodology that is inclusive for the various stakeholders and industries that develop and use information and computer technology. -
- :material-offer: [Community Engagement](contributing.md) @@ -20,4 +19,4 @@ and use information and computer technology. - :material-copyright: [Copyright](copyright.md) - :material-inbox-arrow-down: [Contact Us](contact_us.md) -
\ No newline at end of file + diff --git a/docs/adr/0000-record-architecture-decisions.md b/docs/adr/0000-record-architecture-decisions.md index fcd64cce..1afae220 100644 --- a/docs/adr/0000-record-architecture-decisions.md +++ b/docs/adr/0000-record-architecture-decisions.md @@ -1,7 +1,7 @@ # Record architecture decisions -* Status: accepted -* Date: 2023-10-16 +- Status: accepted +- Date: 2023-10-16 ## Context diff --git a/docs/adr/0001-use-markdown-architectural-decision-records.md b/docs/adr/0001-use-markdown-architectural-decision-records.md index 2c99e241..103a62f1 100644 --- a/docs/adr/0001-use-markdown-architectural-decision-records.md +++ b/docs/adr/0001-use-markdown-architectural-decision-records.md @@ -3,8 +3,8 @@ Adapted from [MADR's similar decision record](https://github.com/adr/madr/blob/2.1.2/docs/adr/0000-use-markdown-architectural-decision-records.md). -* Status: accepted -* Date: 2023-10-16 +- Status: accepted +- Date: 2023-10-16 ## Context and Problem Statement @@ -13,31 +13,32 @@ Which format and structure should these records follow? ## Considered Options -* [MADR](https://adr.github.io/madr/) 3.0.0 - The Markdown Architectural Decision Records -* [Michael Nygard's template](http://thinkrelevance.com/blog/2011/11/15/documenting-architecture-decisions) - The first incarnation of the term "ADR" -* [Sustainable Architectural Decisions](https://www.infoq.com/articles/sustainable-architectural-design-decisions) - The Y-Statements -* Other templates listed at -* Formless - No conventions for file format and structure +- [MADR](https://adr.github.io/madr/) 3.0.0 - The Markdown Architectural Decision Records +- [Michael Nygard's template](http://thinkrelevance.com/blog/2011/11/15/documenting-architecture-decisions) - The first incarnation of the term "ADR" +- [Sustainable Architectural Decisions](https://www.infoq.com/articles/sustainable-architectural-design-decisions) - The Y-Statements +- Other templates listed at +- Formless - No conventions for file format and structure ## Decision Outcome Chosen option: "MADR 3.0.0", because -* Implicit assumptions should be made explicit. +- Implicit assumptions should be made explicit. Design documentation is important to enable people understanding the decisions later on. See also [A rational design process: How and why to fake it](https://doi.org/10.1109/TSE.1986.6312940). -* The MADR format is lean and fits our development style. -* The MADR structure is comprehensible and facilitates usage & maintenance. -* Version 3.0.0 is the latest one available when starting to document ADRs. +- The MADR format is lean and fits our development style. +- The MADR structure is comprehensible and facilitates usage & maintenance. +- Version 3.0.0 is the latest one available when starting to document ADRs. ### Positive Consequences The ADR are more structured. See especially: -* [MADR-0002 - Do not use numbers in headings](https://github.com/adr/madr/blob/2.1.2/docs/adr/0002-do-not-use-numbers-in-headings.md). -* [MADR-0005 - Use (unique number and) dashes in filenames](https://github.com/adr/madr/blob/2.1.2/docs/adr/0005-use-dashes-in-filenames.md). -* [MADR-0010 - Support categories (in form of subfolders with local ids)](https://github.com/adr/madr/blob/2.1.2/docs/adr/0010-support-categories.md). -* See [full set of MADR ADRs](https://github.com/adr/madr/blob/2.1.2/docs/adr). + +- [MADR-0002 - Do not use numbers in headings](https://github.com/adr/madr/blob/2.1.2/docs/adr/0002-do-not-use-numbers-in-headings.md). +- [MADR-0005 - Use (unique number and) dashes in filenames](https://github.com/adr/madr/blob/2.1.2/docs/adr/0005-use-dashes-in-filenames.md). +- [MADR-0010 - Support categories (in form of subfolders with local ids)](https://github.com/adr/madr/blob/2.1.2/docs/adr/0010-support-categories.md). +- See [full set of MADR ADRs](https://github.com/adr/madr/blob/2.1.2/docs/adr). ### Negative Consequences -* Learning curve will be slightly longer. +- Learning curve will be slightly longer. diff --git a/docs/adr/0002-ssvc-decision-points-are-versioned.md b/docs/adr/0002-ssvc-decision-points-are-versioned.md index 4a0d0ae2..9203a78b 100644 --- a/docs/adr/0002-ssvc-decision-points-are-versioned.md +++ b/docs/adr/0002-ssvc-decision-points-are-versioned.md @@ -18,18 +18,17 @@ should be relatively infrequent after an initial period of refinement. Note: This decision addresses the fact that decision points are versioned, but does not address how the version number is used. We will address that in a separate decision. - ## Decision Drivers -* Decision points evolve over time - * new values (options) are added, modified, or removed - * descriptions are updated +- Decision points evolve over time + - new values (options) are added, modified, or removed + - descriptions are updated ## Considered Options -* No versioning -* [Semantic versioning](https://semver.org/) -* [CalVer](https://calver.org/) +- No versioning +- [Semantic versioning](https://semver.org/) +- [CalVer](https://calver.org/) ## Decision Outcome @@ -42,7 +41,6 @@ compatibility expectations between versions. - Semver makes sense for decision point versioning because we don't anticipate them changing much once they go 1.0 - and typo fixes etc. could just bump the fix version e.g., 1.0.2 -> 1.0.3 - ### Consequences - Maintaining version numbers for decision points will add a small burden to each decision point. @@ -56,6 +54,6 @@ compatibility expectations between versions. ## More Information -- [Discussion #289](https://github.com/CERTCC/SSVC/discussions/289) in the SSVC project. +- [Discussion #289](https://github.com/CERTCC/SSVC/discussions/289) in the SSVC project. - [Semantic Versioning](https://semver.org/) -- [CalVer](https://calver.org/) \ No newline at end of file +- [CalVer](https://calver.org/) diff --git a/docs/adr/0003-ssvc-decision-point-versioning-rules.md b/docs/adr/0003-ssvc-decision-point-versioning-rules.md index b625d4cc..ecffcbfb 100644 --- a/docs/adr/0003-ssvc-decision-point-versioning-rules.md +++ b/docs/adr/0003-ssvc-decision-point-versioning-rules.md @@ -7,7 +7,6 @@ deciders: adh, jspring, vssarvepalli, latyzenhaus, cgyarbrough, ehatleback ## Context and Problem Statement - A decision point represents a unit of information for use in one or more decisions An SSVC "version" might introduce new decision points or new functions (trees) over existing decision points (or both) As SSVC evolves and grows, we occasionally have the need to modify an existing decision point. @@ -19,13 +18,12 @@ should be relatively infrequent after an initial period of refinement. Note: This decision addresses the rules for versioning, and depends on the decision to version decision points in the first place. - ## Decision Drivers -* Decision points evolve over time - * new values (options) are added, modified, or removed - * descriptions are updated -* Semantic versioning is a well-known and well-understood standard, but we need to define how it applies to decision points. +- Decision points evolve over time + - new values (options) are added, modified, or removed + - descriptions are updated +- Semantic versioning is a well-known and well-understood standard, but we need to define how it applies to decision points. ## Considered Options @@ -36,31 +34,30 @@ Strictly speaking, Decision Points might not need to be explicitly versioned bec However, for future-proofing purposes we might want to include a key-value pair in the decision point definition to represent a version ID. We could establish rules such as + - version 0.x is reserved for pre-support Decision Points and their shorthand key, labels, number of labels, ordering of labels, descriptions, semantics, etc. are all subject to change - version 1.0 freezes the Decision Point labels, number of labels, and their ordering - version 1.0.x for x > 0 would be limited to description changes - ## Decision Outcome Chosen option: "Semantic versioning": > Given a version number MAJOR.MINOR.PATCH, increment the: -> +> > - MAJOR version when you make incompatible API changes -> - MINOR version when you add functionality in a backward compatible manner +> - MINOR version when you add functionality in a backward compatible manner > - PATCH version when you make backward compatible bug fixes > > Additional labels for pre-release and build metadata are available as extensions to the MAJOR.MINOR.PATCH format. Applied as follows: - | Do this... | ...when... | |----------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | New Object | A different or new concept is being represented
Note: new objects get new names | -| +1 Major Version | Existing options are _removed_
Option semantics change in a way that older answers are no longer usable
New options are added that divide previous semantics ambiguously
Note: The ability to map old to new semantics is encouraged but not required | -| +0.1 Minor Version | New options are added
Option names are changed while semantics are retained
_AND_ all existing options are retained with compatible semantics | +| +1 Major Version | Existing options are *removed*
Option semantics change in a way that older answers are no longer usable
New options are added that divide previous semantics ambiguously
Note: The ability to map old to new semantics is encouraged but not required | +| +0.1 Minor Version | New options are added
Option names are changed while semantics are retained
*AND* all existing options are retained with compatible semantics | | +0.0.1 Patch Version | No changes to number of options
No changes to semantics of options
Typo fixes in option names or decision point name | Decision Points having a major version of 0 are considered to be pre-support and their shorthand key, labels, number of labels, ordering of labels, descriptions, semantics, etc. are all subject to change. @@ -80,8 +77,8 @@ The lowest supported version of a decision point is 1.0.0. use use version 2.1 of a decision point at one time and later revert to using version 1.0 if the 2.1 was found to be problematic). - Multiple versions of decision points will be "live and available for use" by folks modeling decisions unless explicitly deprecated. - We think that Decision Points SHOULD have a way to indicate a deprecated status as a means to stave off future regrets. -This implies the need for a way to denote the _status_ of a decision point in addition to its _version_. -Decision Point _status_ will need to be addressed in a separate decision (or decisions) regarding decision point lifecycles. +This implies the need for a way to denote the *status* of a decision point in addition to its *version*. +Decision Point *status* will need to be addressed in a separate decision (or decisions) regarding decision point lifecycles. ### Confirmation @@ -89,5 +86,5 @@ Decision Point _status_ will need to be addressed in a separate decision (or dec ## More Information -- [Discussion #289](https://github.com/CERTCC/SSVC/discussions/289) in the SSVC project. +- [Discussion #289](https://github.com/CERTCC/SSVC/discussions/289) in the SSVC project. - [Semantic Versioning](https://semver.org/) diff --git a/docs/adr/0004-ssvc-decision-point-groups-are-versioned.md b/docs/adr/0004-ssvc-decision-point-groups-are-versioned.md index 345801ca..1e7aa82d 100644 --- a/docs/adr/0004-ssvc-decision-point-groups-are-versioned.md +++ b/docs/adr/0004-ssvc-decision-point-groups-are-versioned.md @@ -11,9 +11,9 @@ deciders: adh, jspring, vssarvepalli, cgyarbrough, latyzenhaus, ehatleback Decision Point Groups are sets of decision points pinned to specific versions of those decision points. These groups may change over time. -For example, the SSVC _Patch Applier_ and _Deployer_ trees have evolved as follows: +For example, the SSVC *Patch Applier* and *Deployer* trees have evolved as follows: -| _Patch Applier_ (SSVC v1) | _Deployer_ (SSVC v2) | _Deployer_ (SSVC v2.1) | +| *Patch Applier* (SSVC v1) | *Deployer* (SSVC v2) | *Deployer* (SSVC v2.1) | |:-------------------------:|:--------------------------------------------------------:|:-----------------------------------------------------------:| | Exploitation 1.0.0 | Exploitation 1.0.0 | Exploitation 1.0.0 | | System Exposure 1.0.0 | System Exposure 1.0.1 | System Exposure 1.0.1 | diff --git a/docs/adr/0005-ssvc-decision-point-group-versioning.md b/docs/adr/0005-ssvc-decision-point-group-versioning.md index f515f1d0..cdb2f525 100644 --- a/docs/adr/0005-ssvc-decision-point-group-versioning.md +++ b/docs/adr/0005-ssvc-decision-point-group-versioning.md @@ -19,11 +19,10 @@ This ADR establishes the rules for versioning Decision Point Groups. - Decision Points change over time - The composition of decision point groups change over time - It is important that we can discriminate between versions of decision point groups -- Although technically a Decision Point Group is fully defined by the set of - pinned Decision Points it contains, we find it convenient to be able to +- Although technically a Decision Point Group is fully defined by the set of + pinned Decision Points it contains, we find it convenient to be able to refer to the group as a whole, and to be able to discriminate between different versions of the group. - ## Considered Options A number of options were discussed in @@ -45,7 +44,7 @@ provides indication of compatibility expectations between versions. Implemented as follows: The core identity of a decision point group is derived from the pairing of the -_stakeholder role_ and the specific _decision_ being modeled. +*stakeholder role* and the specific *decision* being modeled. ### Create a new object when @@ -79,8 +78,8 @@ version of the existing name according to the following rules. ### Examples -Assume a decision point group (DPG) named _DPG v1.0.0_, -containing decision points (DP) _A v1.0.0_ and _B v1.3.1_. +Assume a decision point group (DPG) named *DPG v1.0.0*, +containing decision points (DP) *A v1.0.0* and *B v1.3.1*. In the table below, we show how the Decision Point Group version number changes as the constituent Decision Points change. @@ -101,11 +100,11 @@ In row 4, DP C undergoes a major version increment, which triggers a major versi - Maintaining version numbers for decision point groups will add a small burden to each decision point group. - Semantic versioning will make it easier to track changes to decision point groups over time. - Because we don't anticipate frequent changes to decision point groups, the burden of maintaining version numbers should be minimal. -- We are deliberately avoiding using the _name_ of the Decision Point Group as part of the versioning scheme, as +- We are deliberately avoiding using the *name* of the Decision Point Group as part of the versioning scheme, as in the motivating example in [ADR 0004](0004-ssvc-decision-point-groups-are-versioned.md) we shifted the -group name from _Patch Applier_ to _Deployer_, but since the group is still -intended to represent the same _stakeholder role_ and _decision_, we want +group name from *Patch Applier* to *Deployer*, but since the group is still +intended to represent the same *stakeholder role* and *decision*, we want to be able to treat name changes as aliases rather than versioning events. ## More Information diff --git a/docs/adr/0006-ssvc-decision-point-versioning-rules.md b/docs/adr/0006-ssvc-decision-point-versioning-rules.md index 580b4ae0..ad1c5063 100644 --- a/docs/adr/0006-ssvc-decision-point-versioning-rules.md +++ b/docs/adr/0006-ssvc-decision-point-versioning-rules.md @@ -20,10 +20,10 @@ Note: This decision addresses the rules for versioning, and depends on the decis ## Decision Drivers -* Decision points evolve over time - * new values (options) are added, modified, or removed - * descriptions are updated -* Semantic versioning is a well-known and well-understood standard, but we need to define how it applies to decision points. +- Decision points evolve over time + - new values (options) are added, modified, or removed + - descriptions are updated +- Semantic versioning is a well-known and well-understood standard, but we need to define how it applies to decision points. ## Considered Options @@ -35,9 +35,9 @@ However, for future-proofing purposes we might want to include a key-value pair We could establish rules such as -* version 0.x is reserved for pre-support Decision Points and their shorthand key, labels, number of labels, ordering of labels, descriptions, semantics, etc. are all subject to change -* version 1.0 freezes the Decision Point labels, number of labels, and their ordering -* version 1.0.x for x > 0 would be limited to description changes +- version 0.x is reserved for pre-support Decision Points and their shorthand key, labels, number of labels, ordering of labels, descriptions, semantics, etc. are all subject to change +- version 1.0 freezes the Decision Point labels, number of labels, and their ordering +- version 1.0.x for x > 0 would be limited to description changes ## Decision Outcome @@ -45,9 +45,9 @@ Chosen option: "Semantic versioning": > Given a version number MAJOR.MINOR.PATCH, increment the: > -> * MAJOR version when you make incompatible API changes -> * MINOR version when you add functionality in a backward compatible manner -> * PATCH version when you make backward compatible bug fixes +> - MAJOR version when you make incompatible API changes +> - MINOR version when you add functionality in a backward compatible manner +> - PATCH version when you make backward compatible bug fixes > > Additional labels for pre-release and build metadata are available as extensions to the MAJOR.MINOR.PATCH format. @@ -55,17 +55,17 @@ Applied as follows: ### Create a new object when -* A different or new concept is being represented +- A different or new concept is being represented **Note**: New objects SHOULD get new names and new keys ### Increment the Major Version when -* Criteria for creating a new object are not met, _AND_ - * existing values are removed, _OR_ - * value semantics change in a way that older answers are no longer usable, - _OR_ - * new values are added that divide previous value semantics ambiguously +- Criteria for creating a new object are not met, *AND* + - existing values are removed, *OR* + - value semantics change in a way that older answers are no longer usable, + *OR* + - new values are added that divide previous value semantics ambiguously **Note**: The ability to map old to new semantics is encouraged but not required @@ -73,21 +73,21 @@ Applied as follows: Minor version increments imply that existing value semantics are preserved. -* Criteria for incrementing the Major Version are not met, _AND_ - * new options are added, _OR_ - * value names or keys are changed, _OR_ - * the decision point name is changed +- Criteria for incrementing the Major Version are not met, *AND* + - new options are added, *OR* + - value names or keys are changed, *OR* + - the decision point name is changed ### Increment the Patch Version when Patch version increments imply that existing value number and semantics are preserved. -* Criteria for incrementing the Major or Minor Version are not met, _AND_ - * typo fixes in option names or decision point name, _OR_ - * the decision point description changes in a way that does not affect - semantics, _OR_ - * a value description changes in a way that does not affect semantics +- Criteria for incrementing the Major or Minor Version are not met, *AND* + - typo fixes in option names or decision point name, *OR* + - the decision point description changes in a way that does not affect + semantics, *OR* + - a value description changes in a way that does not affect semantics ### Pre-Support Decision Points @@ -103,7 +103,7 @@ In other words, a Minor version increment of a 0.x decision point may be used to indicate a change in semantics that is not backwards compatible. This is not the case for decision points with a Major Version of 1 or greater. -The lowest _supported_ version of a decision point is 1.0.0. +The lowest *supported* version of a decision point is 1.0.0. ### Examples @@ -122,21 +122,21 @@ compatible, so the new version is 3.0.0. ### Consequences -* Maintaining version numbers for decision points according to these rules will add a small burden to each decision point. -* Semantic versioning will make it easier to track changes to decision points over time. -* Because we don't anticipate frequent changes to decision points, the burden of maintaining version numbers should be minimal. -* Decision point versions can move in either direction when used repeatedly in other versioned objects (E.g., a decision model could +- Maintaining version numbers for decision points according to these rules will add a small burden to each decision point. +- Semantic versioning will make it easier to track changes to decision points over time. +- Because we don't anticipate frequent changes to decision points, the burden of maintaining version numbers should be minimal. +- Decision point versions can move in either direction when used repeatedly in other versioned objects (E.g., a decision model could use use version 2.1 of a decision point at one time and later revert to using version 1.0 if the 2.1 was found to be problematic). -* Multiple versions of decision points will be "live and available for use" by folks modeling decisions unless explicitly deprecated. -* We think that Decision Points SHOULD have a way to indicate a deprecated status as a means to stave off future regrets. -This implies the need for a way to denote the _status_ of a decision point in addition to its _version_. -Decision Point _status_ will need to be addressed in a separate decision (or decisions) regarding decision point lifecycles. +- Multiple versions of decision points will be "live and available for use" by folks modeling decisions unless explicitly deprecated. +- We think that Decision Points SHOULD have a way to indicate a deprecated status as a means to stave off future regrets. +This implies the need for a way to denote the *status* of a decision point in addition to its *version*. +Decision Point *status* will need to be addressed in a separate decision (or decisions) regarding decision point lifecycles. ### Confirmation -* The PR process will confirm that the decision point version number is updated according to these rules. +- The PR process will confirm that the decision point version number is updated according to these rules. ## More Information -* [Discussion #289](https://github.com/CERTCC/SSVC/discussions/289) in the SSVC project. -* [Semantic Versioning](https://semver.org/) +- [Discussion #289](https://github.com/CERTCC/SSVC/discussions/289) in the SSVC project. +- [Semantic Versioning](https://semver.org/) diff --git a/docs/adr/0007-descriptions-exclude-examples.md b/docs/adr/0007-descriptions-exclude-examples.md index 36699d94..1851adc9 100644 --- a/docs/adr/0007-descriptions-exclude-examples.md +++ b/docs/adr/0007-descriptions-exclude-examples.md @@ -7,9 +7,9 @@ deciders: adh, jspring ## Context and Problem Statement -In written definitions of a Decision Point, Decision Point -Value, Outcome Group, Outcome Value, or other elements, it is common to -include examples in the text. In terms of documentation, this is a worthy +In written definitions of a Decision Point, Decision Point +Value, Outcome Group, Outcome Value, or other elements, it is common to +include examples in the text. In terms of documentation, this is a worthy practice to promote understanding. Examples are sometimes timely and need to be updated even though the @@ -18,9 +18,9 @@ versioning of objects. ## Decision Drivers -- In the course of modeling CVSS vectors across versions as SSVC decision +- In the course of modeling CVSS vectors across versions as SSVC decision points, we have found that concepts change less often than examples. -- Our preference is to minimize version changes to objects unless the +- Our preference is to minimize version changes to objects unless the underlying concept has changed. ## Considered Options @@ -30,19 +30,19 @@ versioning of objects. ## Decision Outcome -Chosen option: "Exclude examples from descriptions of objects", because this +Chosen option: "Exclude examples from descriptions of objects", because this helps to minimize version changes to objects unless the underlying concept has changed. -Examples may be included in the documentation text surrounding the object +Examples may be included in the documentation text surrounding the object definition, but not in the object definition itself. ### Consequences -- Good, because it reduces the likelihood and frequency of version changes to +- Good, because it reduces the likelihood and frequency of version changes to objects. - Good, because it promotes the use of examples in documentation text. -- Bad, because it may make it more difficult to understand the object +- Bad, because it may make it more difficult to understand the object definition solely from the object definition itself. ### Confirmation @@ -50,8 +50,8 @@ definition, but not in the object definition itself. The implementation of this decision is confirmed by the absence of examples in the object definitions. -When generating an object definition from a text description, object -creators should look out for phrases like "for example" and "an example of +When generating an object definition from a text description, object +creators should look out for phrases like "for example" and "an example of this is" and exclude the example from the object definition. ## Pros and Cons of the Options @@ -69,7 +69,7 @@ See [Decision Outcome](#decision-outcome). ## More Information -- [ADR-0006](0006-ssvc-decision-point-versioning-rules.md) - SSVC Decision +- [ADR-0006](0006-ssvc-decision-point-versioning-rules.md) - SSVC Decision Point Versioning Rules -- [ADR-0005](0005-ssvc-decision-point-group-versioning.md) - SSVC Decision +- [ADR-0005](0005-ssvc-decision-point-group-versioning.md) - SSVC Decision Point Group Versioning Rules diff --git a/docs/adr/0008-decision-points-are-ordered-sets.md b/docs/adr/0008-decision-points-are-ordered-sets.md index df1740be..cc366ece 100644 --- a/docs/adr/0008-decision-points-are-ordered-sets.md +++ b/docs/adr/0008-decision-points-are-ordered-sets.md @@ -15,25 +15,25 @@ rules about the interaction between decision point values and the outcomes of th ## Decision Drivers -* The need to reason about the outcomes of a decision given a set of input values. -* Desire to automate portions of the decision-making process. -* Desire for rules to validate the interaction between decision point values and the outcomes of the decision. +- The need to reason about the outcomes of a decision given a set of input values. +- Desire to automate portions of the decision-making process. +- Desire for rules to validate the interaction between decision point values and the outcomes of the decision. ## Considered Options -* Decision Point values are ordered sets. -* Decision Point values are unordered sets. +- Decision Point values are ordered sets. +- Decision Point values are unordered sets. ## Decision Outcome Chosen option: "Decision Point values are ordered sets" Rationale: An ordered set implies that for a decision set $D$ with $n$ values $d_1, d_2, \ldots, d_n$, we can -assert the relationship $d_1 \leq d_2 \leq \ldots \leq d_n$. +assert the relationship $d_1 \leq d_2 \leq \ldots \leq d_n$. When combining decision points into a decision model, we can use that relationship to assert rules about the interaction between decision points. For example, if we have a decision point $D_a$ with values $a_1, a_2, a_3$ -and a decision point $D_b$ with values $b_1, b_2, b_3$, we know that +and a decision point $D_b$ with values $b_1, b_2, b_3$, we know that - $a_1 \leq a_2 \leq a_3$ - $b_1 \leq b_2 \leq b_3$ @@ -94,21 +94,20 @@ default policies that map decision values to outcomes following the graph struct ### Consequences -* (Good) This allows us to make inferences about the relationships between sets of decision point values +- (Good) This allows us to make inferences about the relationships between sets of decision point values and the outcomes of the decision. -* (Neutral) Does not fully order all possible decision point value combinations, leaving some relationship combinations +- (Neutral) Does not fully order all possible decision point value combinations, leaving some relationship combinations undefined. -* (Neutral) May require additional information to fully define the relationship between decision point values and outcomes +- (Neutral) May require additional information to fully define the relationship between decision point values and outcomes into a policy -* (Neutral) Requires each decision point to have a "direction" (i.e., a way to order the values) which may not be +- (Neutral) Requires each decision point to have a "direction" (i.e., a way to order the values) which may not be intuitive in all cases. So far we have found that the natural direction is usually intuitive and most often it is - analogous to "less likely to act" → "more likely to act". -* (Good) Although a sense of direction is required, scaling the values is not. So "None, Few, Many" is just as valid as + analogous to "less likely to act" → "more likely to act". +- (Good) Although a sense of direction is required, scaling the values is not. So "None, Few, Many" is just as valid as a more defined interval scale like "0-4, 4-7, 7-9, 9-10" or a more abstract scale like "Low, Medium, High, Critical"[^1]. [^1]: The latter two examples were inspired by CVSS scoring. - ### Confirmation All current decision points are constructed as ordered sets, and the current policy generator tool makes use of that @@ -125,4 +124,3 @@ However, we *can* evaluate new decision points as they are proposed to ensure th - [ADR-0009](0009-outcomes-are-ordered-sets.md) - Outcomes are Ordered Sets - [Partially ordered sets](https://en.wikipedia.org/wiki/Partially_ordered_set) - [Hasse diagram](https://en.wikipedia.org/wiki/Hasse_diagram) - diff --git a/docs/adr/0009-outcomes-are-ordered-sets.md b/docs/adr/0009-outcomes-are-ordered-sets.md index e801f2cc..afc7f561 100644 --- a/docs/adr/0009-outcomes-are-ordered-sets.md +++ b/docs/adr/0009-outcomes-are-ordered-sets.md @@ -13,23 +13,23 @@ rules about the interaction between decision point values and the outcomes of th ## Decision Drivers -* The need to reason about the outcomes of a decision given a set of input values. -* Desire to automate portions of the decision-making process. -* Desire for rules to validate the interaction between decision point values and the outcomes of the decision. +- The need to reason about the outcomes of a decision given a set of input values. +- Desire to automate portions of the decision-making process. +- Desire for rules to validate the interaction between decision point values and the outcomes of the decision. ## Considered Options -* Outcome values are ordered sets. -* Outcome values are unordered sets. +- Outcome values are ordered sets. +- Outcome values are unordered sets. ## Decision Outcome Chosen option: "Outcome values are ordered sets" Rationale: An ordered set implies that for an outcome set $C$ with $n$ values $c_1, c_2, \ldots, c_n$, we can -assert the relationship $c_1 \leq c_2 \leq \ldots \leq c_n$. +assert the relationship $c_1 \leq c_2 \leq \ldots \leq c_n$. -When combining outcomes with a set of decision points into a decision model and policy, we can use that relationship +When combining outcomes with a set of decision points into a decision model and policy, we can use that relationship to assert rules about the resulting policy. For example, if we have a decision model consisting of: @@ -124,24 +124,23 @@ $Outcome(T_1)$ must be equal to or less than the outcome $Outcome(T_2)$ of any t $Outcome(T_1) \leq Outcome(T_2)$ when $T_1 \leq T_2$. -This allows us to generate default policies that map decision values to outcomes following the graph structure of the +This allows us to generate default policies that map decision values to outcomes following the graph structure of the decision model. ### Consequences -* (Good) This allows us to make inferences about the relationships between sets of decision point values +- (Good) This allows us to make inferences about the relationships between sets of decision point values and the outcomes of the decision. -* (Neutral) Does not fully order all possible decision point value combinations, leaving some relationship combinations +- (Neutral) Does not fully order all possible decision point value combinations, leaving some relationship combinations undefined. -* (Neutral) May require additional information to fully define the relationship between decision point values and outcomes +- (Neutral) May require additional information to fully define the relationship between decision point values and outcomes into a policy -* (Neutral) Requires each outcome set to have a "direction" (i.e., a way to order the values) which may not be +- (Neutral) Requires each outcome set to have a "direction" (i.e., a way to order the values) which may not be intuitive in all cases. So far we have found that the natural direction is usually intuitive and most often it is - analogous to "less likely to act" → "more likely to act". -* (Good) Although a sense of direction is required, scaling the values is not. So "Defer, Scheduled, Out-of-Band, Immediate" + analogous to "less likely to act" → "more likely to act". +- (Good) Although a sense of direction is required, scaling the values is not. So "Defer, Scheduled, Out-of-Band, Immediate" is just as valid as a more Service Level Expectation (SLE) oriented "1 hour, 1 day, 1 week, 1 month". - ### Confirmation All current outcomes are constructed as ordered sets, and the current policy generator tool makes use of that @@ -158,4 +157,3 @@ However, we *can* evaluate new outcome sets as they are proposed to ensure that - [ADR-0008](0008-decision-points-are-ordered-sets.md) - Decision Points are Ordered Sets - [Partially ordered sets](https://en.wikipedia.org/wiki/Partially_ordered_set) - [Hasse diagram](https://en.wikipedia.org/wiki/Hasse_diagram) - diff --git a/docs/adr/0010-outcome-sets-are-separate-from-decision-point-groups.md b/docs/adr/0010-outcome-sets-are-separate-from-decision-point-groups.md index 3073af84..86493346 100644 --- a/docs/adr/0010-outcome-sets-are-separate-from-decision-point-groups.md +++ b/docs/adr/0010-outcome-sets-are-separate-from-decision-point-groups.md @@ -11,42 +11,41 @@ consulted: team Should the outcome set be included in a decision model (tree) definition? While a decision point group and their combinations of values define the structure of a tree, an Outcome Set defines -the possible labels of each leaf node. However, in order to decide what labels are appropriate for a leaf node, one -must also be given a policy that maps each input combination (specific decision point values) to a specific outcome +the possible labels of each leaf node. However, in order to decide what labels are appropriate for a leaf node, one +must also be given a policy that maps each input combination (specific decision point values) to a specific outcome (drawn from an outcome set). But both the policy and the outcome set are actually stakeholder-specific. -The example trees we provide are at best a guess at a reasonable policy for SSVC adopters for each of the decisions we -chose to model. And they also make assumptions about the process that the decision supports. So we assumed that -suppliers have four options for priority. And we assigned outcome labels to leaf nodes based on what seemed reasonable -to us at the time. But we must acknowledge that (a) stakeholders might have an arbitrary number of categories for +The example trees we provide are at best a guess at a reasonable policy for SSVC adopters for each of the decisions we +chose to model. And they also make assumptions about the process that the decision supports. So we assumed that +suppliers have four options for priority. And we assigned outcome labels to leaf nodes based on what seemed reasonable +to us at the time. But we must acknowledge that (a) stakeholders might have an arbitrary number of categories for prioritization (2, 3, 4, 5, ...), and (b) they may have wide variation in what combinations are given which priority. - ## Decision Drivers -* There was some discussion during the development of [ADR 0005](0005-ssvc-decision-point-group-versioning.md) about - whether the outcome set should be included in the tree definition. +- There was some discussion during the development of [ADR 0005](0005-ssvc-decision-point-group-versioning.md) about + whether the outcome set should be included in the tree definition. ## Considered Options -* Include the outcome set in the decision point group definition. -* Omit the outcome set from the decision point group definition. +- Include the outcome set in the decision point group definition. +- Omit the outcome set from the decision point group definition. ## Decision Outcome Chosen option: "Omit the outcome set from the decision point group definition", because the outcome set is -stakeholder-specific and not part of the decision point group's (aka _the tree's_) identity. +stakeholder-specific and not part of the decision point group's (aka *the tree's*) identity. We need to define a few terms here: -- a _decision point group_ is a set of decision points that are used to model a decision. The combinations of the decision - points' values define the structure of the decision model (aka _tree_). -- an _outcome set_ is the set of possible outcomes for a decision model. Each leaf node of a tree is labeled with an +- a *decision point group* is a set of decision points that are used to model a decision. The combinations of the decision + points' values define the structure of the decision model (aka *tree*). +- an *outcome set* is the set of possible outcomes for a decision model. Each leaf node of a tree is labeled with an outcome from the outcome set. -- a _policy_ is a mapping from specific combinations of decision point values to specific outcomes from the outcome set. +- a *policy* is a mapping from specific combinations of decision point values to specific outcomes from the outcome set. A decision point group fully defines the structure of a decision model (tree). The outcome set and the policy are -both stakeholder-specific. +both stakeholder-specific. Two examples for illustrative purposes: @@ -65,21 +64,20 @@ the same decision in the same structure, only differing in their policy applicat If we were to include the outcome set but not the policy in the decision point group definition, then the first example would appear to be "different" whereas the second example would appear to be "the same". This also seems misleading. -For completeness, it is not possible to include the policy without the outcome set, since the policy depends on both +For completeness, it is not possible to include the policy without the outcome set, since the policy depends on both the decision point group and the outcome set. -Therefore, the decision point group's (aka _the tree's_) identity omits both the outcome set and its specific mapping to +Therefore, the decision point group's (aka *the tree's*) identity omits both the outcome set and its specific mapping to the tree structure. The thing we're asserting is that the structure of the tree (as defined by its constituent decision -points and their specific versions) is invariant to the above, therefore the tree's identity omits both the outcome set +points and their specific versions) is invariant to the above, therefore the tree's identity omits both the outcome set and its specific mapping to the tree structure. - ### Consequences -* Good, because we can avoid decision point group versioning events due to changes in the outcome set or policy. -* Good, because SSVC users can share decision point groups as decision models without needing to share their specific +- Good, because we can avoid decision point group versioning events due to changes in the outcome set or policy. +- Good, because SSVC users can share decision point groups as decision models without needing to share their specific outcome sets or policies. -* Bad, because the decision point group definition does not fully specify the decision model including the policy. +- Bad, because the decision point group definition does not fully specify the decision model including the policy. ### Confirmation @@ -87,26 +85,26 @@ This decision is confirmed by the fact that decision point groups are versioned ## Pros and Cons of the Options -### Include the outcome set in the decision point group definition. +### Include the outcome set in the decision point group definition Including the outcome set in the decision point group definition would mean that the decision model (tree) changes whenever the outcome set changes. This would lead to a large number of versioning events for decision point groups whenever the outcome set changes, even if the structure of the decision model (tree) remains the same. -* Good, because the combination of decision points and outcome sets would be fully specified, and users would only +- Good, because the combination of decision points and outcome sets would be fully specified, and users would only need to establish their own policy to use the decision model. -* Bad, because the decision model (tree) would change whenever the outcome set changes, even if the structure of the +- Bad, because the decision model (tree) would change whenever the outcome set changes, even if the structure of the decision model (tree) remains the same. For example, the same structure with a 3-category outcome set and a 4-category - outcome set would be considered different decision models. + outcome set would be considered different decision models. -Furthermore, including both the outcome group _and_ the policy in the decision point group definition would mean that the +Furthermore, including both the outcome group *and* the policy in the decision point group definition would mean that the decision model (tree) version would change whenever the policy changes, even if the structure of the decision model (tree) and the outcome set both remained the same. -* Good, because the decision model (tree) would be fully specified and would not depend on any external factors. -* Bad, because the decision model (tree) would change whenever the policy changes, even if the structure of the +- Good, because the decision model (tree) would be fully specified and would not depend on any external factors. +- Bad, because the decision model (tree) would change whenever the policy changes, even if the structure of the decision model (tree) and the outcome set both remained the same. -* Bad, because the number of versioning events for decision models would be large. +- Bad, because the number of versioning events for decision models would be large. ## More Information diff --git a/docs/adr/0011-automatable-and-value-density-and-CVSSv4.md b/docs/adr/0011-automatable-and-value-density-and-CVSSv4.md index 03609316..b38d427c 100644 --- a/docs/adr/0011-automatable-and-value-density-and-CVSSv4.md +++ b/docs/adr/0011-automatable-and-value-density-and-CVSSv4.md @@ -12,17 +12,16 @@ deciders: adh, jspring Two SSVC decision points happen to match two CVSS v4 supplemental metrics. This ADR is to make clear what the SSVC support plan is in regards to this overlap for future versions of these decision points and metrics. - ## Decision Drivers -* The SSVC and CVSS communities have productively shared ideas and concepts in the past. These two decision points are an example. It was a relatively long process to propose these decision points as CVSS metrics, take feedback from the CVSS community, get text approved, and then port those changes over to SSVC. This all happened several years before we had this formalized decision documentation process within SSVC. +- The SSVC and CVSS communities have productively shared ideas and concepts in the past. These two decision points are an example. It was a relatively long process to propose these decision points as CVSS metrics, take feedback from the CVSS community, get text approved, and then port those changes over to SSVC. This all happened several years before we had this formalized decision documentation process within SSVC. ## Considered Options -* No support, expressed or implied, by either group -* SSVC project commits to mirroring any changes made to CVSS -* CVSS SIG commits to mirroring any changes made by the SSVC project -* Both the second and third options, leading to joint decision making on these two decision points / metrics. +- No support, expressed or implied, by either group +- SSVC project commits to mirroring any changes made to CVSS +- CVSS SIG commits to mirroring any changes made by the SSVC project +- Both the second and third options, leading to joint decision making on these two decision points / metrics. ## Decision Outcome @@ -31,14 +30,11 @@ there are no structured agreements in place that could create a service expectat The CVSS SIG is an independent group, even if there may be some overlap with the SSVC community, and SSVC cannot require or expect any changes by CVSS. While SSVC may mirror any changes the CVSS SIG makes to these metrics in the future, that change should be considered by the SSVC community indepdently on its merits, through the normal change management processes for suggestions to amend decision points. - ### Consequences -* Good, because low overhead -- no additional organizational structures -* Good, because leaves the opportunity for continued synchronization open if everyone agrees -* Bad, because no guarantee of future synchronization - - +- Good, because low overhead -- no additional organizational structures +- Good, because leaves the opportunity for continued synchronization open if everyone agrees +- Bad, because no guarantee of future synchronization ### Confirmation @@ -47,4 +43,3 @@ The implementation of this decision is confirmed by continued use of SSVC commun ## More Information This decision could hypothetically be revisited at the request of the CVSS SIG. - diff --git a/docs/adr/_template.md b/docs/adr/_template.md index f4da6f8c..4e991b46 100644 --- a/docs/adr/_template.md +++ b/docs/adr/_template.md @@ -16,16 +16,16 @@ informed: {list everyone who is kept up-to-date on progress; and with whom there ## Decision Drivers -* {decision driver 1, e.g., a force, facing concern, …} -* {decision driver 2, e.g., a force, facing concern, …} -* … +- {decision driver 1, e.g., a force, facing concern, …} +- {decision driver 2, e.g., a force, facing concern, …} +- … ## Considered Options -* {title of option 1} -* {title of option 2} -* {title of option 3} -* … +- {title of option 1} +- {title of option 2} +- {title of option 3} +- … ## Decision Outcome @@ -35,9 +35,9 @@ Chosen option: "{title of option 1}", because ### Consequences -* Good, because {positive consequence, e.g., improvement of one or more desired qualities, …} -* Bad, because {negative consequence, e.g., compromising one or more desired qualities, …} -* … +- Good, because {positive consequence, e.g., improvement of one or more desired qualities, …} +- Bad, because {negative consequence, e.g., compromising one or more desired qualities, …} +- … ### Confirmation @@ -53,22 +53,22 @@ Chosen option: "{title of option 1}", because {example | description | pointer to more information | …} -* Good, because {argument a} -* Good, because {argument b} +- Good, because {argument a} +- Good, because {argument b} -* Neutral, because {argument c} -* Bad, because {argument d} -* … +- Neutral, because {argument c} +- Bad, because {argument d} +- … ### {title of other option} {example | description | pointer to more information | …} -* Good, because {argument a} -* Good, because {argument b} -* Neutral, because {argument c} -* Bad, because {argument d} -* … +- Good, because {argument a} +- Good, because {argument b} +- Neutral, because {argument c} +- Bad, because {argument d} +- … ## More Information @@ -76,4 +76,4 @@ Chosen option: "{title of option 1}", because {You might want to provide additional evidence/confidence for the decision outcome here and/or document the team agreement on the decision and/or define when/how this decision the decision should be realized and if/when it should be re-visited. -Links to other decisions and resources might appear here as well.} \ No newline at end of file +Links to other decisions and resources might appear here as well.} diff --git a/docs/adr/index.md b/docs/adr/index.md index eb58185e..e99a6286 100644 --- a/docs/adr/index.md +++ b/docs/adr/index.md @@ -1,6 +1,6 @@ # SSVC Decision Records -We have adopted the use of [Markdown Any Decision Records](https://adr.github.io/madr/) +We have adopted the use of [Markdown Any Decision Records](https://adr.github.io/madr/) to document significant decisions made in the development of SSVC. Below is a list of all the decision records that have been made. diff --git a/docs/howto/acuity_ramp.md b/docs/howto/acuity_ramp.md index af3b467b..ef1ae271 100644 --- a/docs/howto/acuity_ramp.md +++ b/docs/howto/acuity_ramp.md @@ -1,6 +1,6 @@ # Acuity Ramp -!!! question inline end "Why _Acuity_? Isn't this a _Maturity_ Model?" +!!! question inline end "Why *Acuity*? Isn't this a *Maturity* Model?" The _acuity ramp_ concept is similar to the idea of a _maturity model_, but the term _maturity_ carries a sort of moral bias in the sense that it has an implied "good" direction from "immature" to "mature". @@ -12,7 +12,7 @@ one that is most appropriate for both their decision and context. It is not inherently better to use a higher-resolution decision point, and it is not inherently worse to use a lower-resolution decision point. -An SSVC _acuity ramp_ is a concept that describes a series of decision functions that are increasingly more detailed and +An SSVC *acuity ramp* is a concept that describes a series of decision functions that are increasingly more detailed and complex while addressing the same decision. The idea is that a decision maker can start with a simple decision model and then, as their needs, resources, or abilities change, they can gather and analyze more or different data to understand their environment with more acuity. @@ -21,37 +21,36 @@ their environment with more acuity. In Cybersecurity Threat and Vulnerability analysis, as with most decision-making processes, decision makers must balance trade-offs between the volume, quality, or detail of the information they use and the cost of gathering and -analyzing that information. -There are many good reasons that decision makers might choose to use a lower resolution indicator that is readily +analyzing that information. +There are many good reasons that decision makers might choose to use a lower resolution indicator that is readily available over a higher resolution indicator that comes at a high cost in terms of time, money, or effort. One way to think about the tradeoffs in acuity is to consider the cost or difficulty of gathering and analyzing data. -Some vulnerability information is readily available for free as a public resource. +Some vulnerability information is readily available for free as a public resource. Other information is available for purchase, for example as a subscription to a threat intelligence feed. Still other information is only available if you set up a system to collect and manage it yourself, such as an internal -asset management system. -For direct cost tradeoffs, one might conduct a cost-benefit analysis of whether the additional acuity provides value -more than its cost. Sometimes, tradeoffs are not directly cost-based. +asset management system. +For direct cost tradeoffs, one might conduct a cost-benefit analysis of whether the additional acuity provides value +more than its cost. Sometimes, tradeoffs are not directly cost-based. The quality and readiness for use of the information can also vary. Structured, low resolution public data might be easier to incorporate into a decision model than unstructured data that requires a lot of manual analysis. -At the CERT/CC, we have observed otherwise high quality threat intelligence provided as PDF files with threat indicators +At the CERT/CC, we have observed otherwise high quality threat intelligence provided as PDF files with threat indicators embedded as screenshots of text, which would be difficult to extract and use in a decision model. Another tradeoff is that sometimes one decision point can serve as a close-enough proxy for another decision point that -is more costly or difficult to acquire. For example, in a given deployment context, -[_Value Density_](../reference/decision_points/value_density.md) might be more readily discerned than -[_Mission Impact_](../reference/decision_points/mission_impact.md) for some stakeholders because it's easier to +is more costly or difficult to acquire. For example, in a given deployment context, +[*Value Density*](../reference/decision_points/value_density.md) might be more readily discerned than +[*Mission Impact*](../reference/decision_points/mission_impact.md) for some stakeholders because it's easier to count how many of something there are than to estimate the impact of a loss of specific instances of the thing. -Alternately, information about _Value Density_ might be available from another source, such as a CVSS v4 scoring provider, -whereas _Mission Impact_ might require a more detailed understanding of the stakeholder's mission and environment. -An organization might start with _Value Density_ as a proxy for _Mission Impact_ and then, as they develop a better -understanding of their environment, they could replace _Value Density_ with _Mission Impact_ in their decision model. - +Alternately, information about *Value Density* might be available from another source, such as a CVSS v4 scoring provider, +whereas *Mission Impact* might require a more detailed understanding of the stakeholder's mission and environment. +An organization might start with *Value Density* as a proxy for *Mission Impact* and then, as they develop a better +understanding of their environment, they could replace *Value Density* with *Mission Impact* in their decision model. ## An Acuity Ramp in Action -The _acuity ramp_ idea is a way to show how a stakeholder could "grow into" their desired decision function as their +The *acuity ramp* idea is a way to show how a stakeholder could "grow into" their desired decision function as their data collection and analysis capabilities increase. We demonstrate this with the following example. !!! example "An Acuity Ramp for a Growing System Deployer Organization" @@ -146,16 +145,15 @@ data collection and analysis capabilities increase. We demonstrate this with the In this way, the organization can grow into a more detailed decision model as their understanding and capabilities improve. - ## Conclusion -The _acuity ramp_ concept is a way to show how a stakeholder could "grow into" their desired decision function as their +The *acuity ramp* concept is a way to show how a stakeholder could "grow into" their desired decision function as their data collection and analysis capabilities improve. It is a way to show how a decision model can be adapted to the context of the decision maker, and how the decision maker can make trade-offs between the cost of gathering information and the quality of the decision they are able to make. -The example above is just a single illustration of the _acuity ramp_ concept. There are many other ways that an -organization might evolve their decision model from a simple starting point toward a more detailed decision model for +The example above is just a single illustration of the *acuity ramp* concept. There are many other ways that an +organization might evolve their decision model from a simple starting point toward a more detailed decision model for any particular decision. Substituting one decision point for another, adding decision points over time, or even customizing decision points to better fit the organization's specific context are all ways that an organization might grow from a simple decision model to a more robust one. diff --git a/docs/howto/bootstrap/collect.md b/docs/howto/bootstrap/collect.md index 53381718..cc28d073 100644 --- a/docs/howto/bootstrap/collect.md +++ b/docs/howto/bootstrap/collect.md @@ -11,10 +11,10 @@ While the actual collection of operational data is outside the scope of SSVC, it of the process. SSVC is designed to be flexible enough to accommodate a variety of data collection methods. The [Data Mapping](prepare.md) step defines the data that is needed to assign a value to each decision point. -The Data Operations process collects that data so that it can be used to assign values to decision points in the +The Data Operations process collects that data so that it can be used to assign values to decision points in the [Use SSVC](use.md) step. -We include a feedback loop on the data collection node to indicate that it is expected to be a continuous process. +We include a feedback loop on the data collection node to indicate that it is expected to be a continuous process. ```mermaid flowchart LR @@ -59,7 +59,6 @@ That caveat notwithstanding, some automation is possible. At least, for those vulnerabilities that are not “automatically” PoC-ready, such as on-path attackers for TLS or network replays. - Some of the decision points require a substantial upfront analysis effort to gather risk assessment or organizational data. However, once gathered, this information can be efficiently reused across many vulnerabilities and only refreshed @@ -70,7 +69,6 @@ occasionally. An obvious example of this is the [Mission Impact](../../reference/decision_points/mission_impact.md) decision point. To answer this, a deployer must analyze their Mission Essential Functions (MEFs), how they interrelate, and how they are supported. - !!! example "Evidence of System Exposure" [System Exposure](../../reference/decision_points/system_exposure.md) is similar; answering that decision point requires an asset inventory, adequate understanding of the network @@ -78,7 +76,6 @@ occasionally. Independently operated scans, such as Shodan or Shadowserver, may play a role in evaluating exposure, but the entire exposure question cannot be reduced to a binary question of whether an organization’s assets appear in such databases. - Once the deployer has the situational awareness to understand their Mission Essential Functions or System Exposure, selecting the answer for each individual vulnerability is usually straightforward. @@ -98,7 +95,7 @@ In the case where no information is available or the organization has not yet ma we can suggest something like defaults for some decision points. !!! tip "Default Exploitation Values" - + [*Exploitation*](../../reference/decision_points/exploitation.md) needs no special default; if adequate searches are made for exploit code and none is found, the answer is [*none*](../../reference/decision_points/exploitation.md). @@ -108,7 +105,6 @@ we can suggest something like defaults for some decision points. means they do not know where the devices are or how they are controlled, so they should assume [*System Exposure*](../../reference/decision_points/system_exposure.md) is [*open*](../../reference/decision_points/system_exposure.md). - !!! tip "Default Automatable Values" If nothing is known about [*Automatable*](../../reference/decision_points/automatable.md), the safer answer to assume is [*yes*](../../reference/decision_points/automatable.md). @@ -127,7 +123,6 @@ we can suggest something like defaults for some decision points. Similarly, with [*Mission Impact*](../../reference/decision_points/mission_impact.md), the deployer should assume that the software is in use at the organization for a reason, and that it supports essential functions unless they have evidence otherwise. With a total lack of information, assume [*support crippled*](../../reference/decision_points/mission_impact.md) as a default. - !!! example "Using Defaults" diff --git a/docs/howto/bootstrap/index.md b/docs/howto/bootstrap/index.md index 95042e6c..293d4afb 100644 --- a/docs/howto/bootstrap/index.md +++ b/docs/howto/bootstrap/index.md @@ -21,4 +21,4 @@ Using SSVC to prioritize vulnerability response requires a few steps. The steps {% include-markdown "howto/bootstrap/_steps_table.md" %} We cover each of these in the following sections, starting with [Prepare to Use SSVC](prepare.md). -If you want to skip ahead to the full process, see [Bootstrapping SSVC Summary](summary.md). \ No newline at end of file +If you want to skip ahead to the full process, see [Bootstrapping SSVC Summary](summary.md). diff --git a/docs/howto/bootstrap/prepare.md b/docs/howto/bootstrap/prepare.md index 710aab40..79f144ea 100644 --- a/docs/howto/bootstrap/prepare.md +++ b/docs/howto/bootstrap/prepare.md @@ -18,7 +18,6 @@ the information you need to make that decision, and the policy you want to use t bring to the decision making process is essential. SSVC adoption is not just a process for the security team or technical staff. - Here is a diagram of the preparation process: ```mermaid @@ -53,7 +52,7 @@ We will go through each step in detail. ## Choose a Decision to Model !!! example inline end - + Decisions we have modeled with SSVC include: - [Patch Supplier Prioritization](../supplier_tree.md) @@ -120,7 +119,7 @@ flowchart LR oss --> cos ``` -!!! example +!!! example Imagine two different Service Providers, each of which is responsible for managing vulnerabilities in their respective environments. @@ -140,7 +139,7 @@ A single decision point enumerates a set of options for a particular aspect of t We have defined a number of decision points in the [SSVC documentation](../../reference/decision_points/index.md). You can choose from these decision points, or you can define your own decision points to meet your needs. -Whether you choose from the existing decision points or define your own, the set of decision points you use to make a +Whether you choose from the existing decision points or define your own, the set of decision points you use to make a decision is called a Decision Point Set. ```mermaid @@ -182,7 +181,6 @@ flowchart LR device safety regulations. So, the medical device manufacturer might define a decision point called _Regulated_ with the values _Regulated Device_, _Non-Regulated Device_, and _Support Service_. - ## Define Policy So far, you have chosen a decision to model, defined the possible outcomes for that decision, and defined the information you need to make that decision. @@ -223,14 +221,14 @@ flowchart LR example—that is, the mapping from decision point values to outcomes—is not appropriate for their needs because it has too few _Immediate_ outcomes to suit their policy. Therefore, the bank decides to reuse the same decision point set and outcome set but define their own policy. - + ## Map Data to Model Inputs In SSVC, data mapping is the process of defining what data can be used to assign a value to each decision point. The resulting data map indicates which data sources are relevant to each decision point, and how to interpret the data from each data source to assign a value to the decision point. -```mermaid +```mermaid --- title: Data Mapping Process --- @@ -252,7 +250,7 @@ flowchart LR dd --> ddf ddf --> dp2d dp2d --> dpm -``` +``` !!! example @@ -270,7 +268,6 @@ flowchart LR containing the SLA data, and document that the script they wrote will assign a value to the _Service Level_ decision point based on the SLA data. - !!! tip inline end "CERT RMM on Vulnerability Analysis and Resolution" The process of maintaining SSVC decision models is a governance process. @@ -291,11 +288,11 @@ flowchart LR ## Establish Governance The final step in preparing to use SSVC is to establish a governance process for the decision model. -This process should ensure that the decision model remains relevant to the organization's needs and that the data +This process should ensure that the decision model remains relevant to the organization's needs and that the data used to make decisions is accurate and up-to-date. It need not be complex or burdensome. -A lightweight governance process might resemble a review of this _Prepare_ step for each decision modeled using +A lightweight governance process might resemble a review of this *Prepare* step for each decision modeled using SSVC. Each of the items we discussed above could be reviewed in turn, ensuring that: - The decision itself remains relevant to the organization @@ -304,7 +301,7 @@ SSVC. Each of the items we discussed above could be reviewed in turn, ensuring t - The policy remains relevant to the organization's needs - The data sources remain relevant to informing the decision points -Depending on the review, any necessary adjustments can be made to the outcomes, decision points, policy, data map, +Depending on the review, any necessary adjustments can be made to the outcomes, decision points, policy, data map, or operational processes. ```mermaid @@ -368,6 +365,3 @@ um --> po - Are there new data sources we should consider? - Are there data sources we are using that are no longer relevant? - Is our data mapping still appropriate? - - - diff --git a/docs/howto/bootstrap/summary.md b/docs/howto/bootstrap/summary.md index 409c7fe6..1de97b42 100644 --- a/docs/howto/bootstrap/summary.md +++ b/docs/howto/bootstrap/summary.md @@ -8,42 +8,41 @@ We covered each of these in the previous sections, see the links in the table ab The diagram below shows the complete process of using SSVC. - ```mermaid flowchart TD start([Start]) subgraph prep [Prepare to use SSVC] - dcd{{Choose Decision to Model}} - d[/Decision/] + dcd{{Choose Decision to Model}} + d[/Decision/] l4((1)) - subgraph outcomes [Define Outcomes] - oc1[/Use available
outcome sets?\] - dos{{Define Outcome Sets}} - oss[\Outcome Sets/] - cos{{Choose Outcome Set}} - os[/Outcome Set/] - end + subgraph outcomes [Define Outcomes] + oc1[/Use available
outcome sets?\] + dos{{Define Outcome Sets}} + oss[\Outcome Sets/] + cos{{Choose Outcome Set}} + os[/Outcome Set/] + end l5((1)) - subgraph decisionpoints [Define Inputs] - dp1[/Use available
decision points?\] - ddp{{Define Decision Points}} - dpt[\Decision Points/] - cdp{{Choose Decision Points}} - dps[/Decision Point Set/] - end + subgraph decisionpoints [Define Inputs] + dp1[/Use available
decision points?\] + ddp{{Define Decision Points}} + dpt[\Decision Points/] + cdp{{Choose Decision Points}} + dps[/Decision Point Set/] + end l6((1)) - subgraph dataeng [Data Mapping] - dd1[/Use existing data?\] - dpm[/Data Map/] - dp2d{{Map Decision Points to Data}} - dd{{Define Data}} - ddf[/Data Definition/] - end + subgraph dataeng [Data Mapping] + dd1[/Use existing data?\] + dpm[/Data Map/] + dp2d{{Map Decision Points to Data}} + dd{{Define Data}} + ddf[/Data Definition/] + end l7((1)) - subgraph policy [Policy Development] - dfp{{Define Policy}} - p[/Policy/] - end + subgraph policy [Policy Development] + dfp{{Define Policy}} + p[/Policy/] + end subgraph gov [Governance] eg{{Establish Governance Process}} gp[[Governance Process]] @@ -52,17 +51,17 @@ subgraph prep [Prepare to use SSVC] end subgraph dataops [Data Operations] - cd[Collect Data] - vd[/Vulnerability Data/] - ed[/Environment Data/] + cd[Collect Data] + vd[/Vulnerability Data/] + ed[/Environment Data/] dt[\Available Data/] end subgraph runtime [Use SSVC] - mdp[[Apply Decision Point Mapping to Data]] - dp[/Decision Point Values/] - ap[[Apply Policy]] - oc[/Outcome/] + mdp[[Apply Decision Point Mapping to Data]] + dp[/Decision Point Values/] + ap[[Apply Policy]] + oc[/Outcome/] end r[Vulnerability Response] start --> dcd @@ -115,4 +114,3 @@ r --> l1((2)) l2((2)) --> cd l6 --> dd1 ``` - diff --git a/docs/howto/bootstrap/use.md b/docs/howto/bootstrap/use.md index 0f7ed8d1..6b75cba6 100644 --- a/docs/howto/bootstrap/use.md +++ b/docs/howto/bootstrap/use.md @@ -30,9 +30,8 @@ flowchart LR ap --> oc ``` - !!! example - + A government agency has a need to prioritize vulnerability response as part of their vulnerability management process. Certain vulnerabilities require special handling as a matter of government policy, and the agency wants to make sure that they are not overlooked. @@ -90,7 +89,7 @@ Not every stakeholder will use the decision points to make comparable decisions. [Suppliers](../supplier_tree.md) and [deployers](../deployer_tree.md) make interdependent decisions, but the actions of one group are not strictly dependent on the other. Recall that one reason for this is that SSVC is about prioritizing a vulnerability response action in general, not specifically applying a patch that a supplier produced. [Coordinators](../coordination_intro.md) are particularly interested in facilitating communication because that is their core function. -This section handles three aspects of this challenge: +This section handles three aspects of this challenge: - formats for communicating SSVC - how to handle partial or incomplete information @@ -106,7 +105,7 @@ This section discusses the situation where one stakeholder, usually a supplier o We provide a structured communication format for SSVC information using JSON schemas. The goal of this format is to capture all the context and details about a decision or work item in a clear and machine-readable way. -- The [provision schema](https://github.com/CERTCC/SSVC/blob/main/data/schema/SSVC_Provision.schema.json) is equivalent to a decision model and documents the full set of logical statements that a +- The [provision schema](https://github.com/CERTCC/SSVC/blob/main/data/schema/SSVC_Provision.schema.json) is equivalent to a decision model and documents the full set of logical statements that a stakeholder uses to make decisions. - The [computed schema](https://github.com/CERTCC/SSVC/blob/main/data/schema/SSVC_Computed.schema.json) expresses a set of information about a work item or vulnerability at a point in time. A computed schema should identify the provision schema used, so the options from which the information was computed are specified. @@ -123,8 +122,7 @@ A computed schema should identify the provision schema used, so the options from The `value` term is derived the same way as `decision point` except start with the value name as given in the relevant decision point subsection of [Likely Decision Points and Relevant Data](../../reference/decision_points/index.md). - -### Partial or Incomplete Information +### Partial or Incomplete Information What an analyst knows about a vulnerability may not be complete. However, the vulnerability management community may still benefit from partial information. @@ -217,14 +215,13 @@ Risk tolerance and risk appetite are primarily reflected in the priority labels | [*Utility*](../../reference/decision_points/utility.md) | every 6 months | | [*Public Safety Impact*](../../reference/decision_points/public_safety_impact.md) | every 1 year | - ### Decision Points Under Direct Control The following decision points are usually in the control of the organization running SSVC and should be re-evaluated when a relevant change is made or during annual reviews of assets. - - [*Situated Safety Impact*](../../reference/decision_points/safety_impact.md) - - [*Mission Impact*](../../reference/decision_points/mission_impact.md) - - [*System Exposure*](../../reference/decision_points/system_exposure.md) +- [*Situated Safety Impact*](../../reference/decision_points/safety_impact.md) +- [*Mission Impact*](../../reference/decision_points/mission_impact.md) +- [*System Exposure*](../../reference/decision_points/system_exposure.md) ### Timestamping SSVC Information diff --git a/docs/howto/coordination_intro.md b/docs/howto/coordination_intro.md index abccf08a..e290b5b2 100644 --- a/docs/howto/coordination_intro.md +++ b/docs/howto/coordination_intro.md @@ -5,7 +5,6 @@ Since coordinators neither supply nor deploy the vulnerable component in questio [suppliers'](supplier_tree.md) or [deployers'](deployer_tree.md) decisions. This section provides a window into CERT/CC's decisions as an example of how a coordinator might use SSVC to make its own decisions. - Coordinators vary quite a lot, and their use of SSVC may likewise vary. A coordinator may want to gather and publish information about SSVC decision points that it does not use internally in order to assist its constituents. Furthermore, a coordinator may only publish some of the information it uses to make decisions. @@ -13,9 +12,9 @@ Consistent with other stakeholder perspectives (supplier and deployer), SSVC pro For more information about types of coordinators and their facilitation actions within vulnerability management, see [The CERT Guide to Coordinated Vulnerability Disclosure](https://certcc.github.io/CERT-Guide-to-CVD/topics/roles/coordinator/) -The two decisions that CERT/CC makes as a coordinator that we will discuss in terms of SSVC are +The two decisions that CERT/CC makes as a coordinator that we will discuss in terms of SSVC are -1. [Coordination Triage](coordination_triage_decision.md) - The initial triage of vulnerability reports. This initial coordination decision is a prioritization decision, but it +1. [Coordination Triage](coordination_triage_decision.md) - The initial triage of vulnerability reports. This initial coordination decision is a prioritization decision, but it does not have the same values as prioritization by a [deployer](deployer_tree.md) or [supplier](supplier_tree.md). 2. [Publication](publication_decision.md) - Whether a publication about a vulnerability is warranted. The publication decision for us is a binary yes/no. @@ -25,9 +24,7 @@ These two decisions are not the entirety of vulnerability coordination, but we l For another example of how a coordinator is using SSVC, see the [CISA SSVC](https://www.cisa.gov/ssvc) website. - Different coordinators have different scopes and constituencies. See [The CERT Guide to Coordinated Vulnerability Disclosure](https://certcc.github.io/CERT-Guide-to-CVD/topics/roles/coordinator/) for a listing of different coordinator types. If a coordinator receives a report that is outside its own work scope or constituency, it should make an effort to route the report to a more suitable coordinator. The decisions in this section assume the report or vulnerability in question is within the work scope or constituency for the coordinator. - diff --git a/docs/howto/coordination_triage_decision.md b/docs/howto/coordination_triage_decision.md index ec5bf7f1..6ad72cdc 100644 --- a/docs/howto/coordination_triage_decision.md +++ b/docs/howto/coordination_triage_decision.md @@ -11,20 +11,18 @@ This decision is also known as triage. In this case, the stakeholder is the **Coordinator** and the decision is the **priority of coordinating a vulnerability report**. - -## Coordinator Triage Units of Work +## Coordinator Triage Units of Work !!! info inline end "Coordinator Unit of Work" The unit of work for a Coordinator is usually a single report to be coordinated. Coordinator units of work tend to coincide with whatever arrives in a single report, which spans the range from a single -vulnerability affecting a specific version of an individual product from one Supplier all the way to fundamental design +vulnerability affecting a specific version of an individual product from one Supplier all the way to fundamental design flaws in system specifications that could affect every Supplier and product that uses or implements the flawed specification. Coordinators may need to reorganize reports (e.g., merge, split, expand, or contract) according to their workflow demands. SSVC can be applied to either the initial report or to the results of such refinement. - ## Coordinator Triage Decision Outcomes We take three priority levels in our decision about whether and how to [coordinate](https://certcc.github.io/CERT-Guide-to-CVD/tutorials/cvd_is_a_process/) @@ -38,17 +36,15 @@ a vulnerability based on an incoming report: | Track | Receive information about the vulnerability and monitor for status changes but do not take any overt actions. | | Coordinate | Take action on the report. “Action” may include any one or more of: technical analysis, reproduction, notifying vendors, publication, and assist another party. | - - - *Decline* — Do not act on the report. May take different forms, including ignoring the report as well as an +- *Decline* — Do not act on the report. May take different forms, including ignoring the report as well as an acknowledgement to the reporter that we will not act and suggest the reporter to go to vendor or publish if unresponsive. - - *Track* — Receive information about the vulnerability and monitor for status changes but do not take any overt actions. - - *Coordinate* — Take action on the report. “Action” may include any one or more of: technical analysis, reproduction, - notifying vendors, lead coordination (notify, communicate, and publish), publish only (amplify public message), +- *Track* — Receive information about the vulnerability and monitor for status changes but do not take any overt actions. +- *Coordinate* — Take action on the report. “Action” may include any one or more of: technical analysis, reproduction, + notifying vendors, lead coordination (notify, communicate, and publish), publish only (amplify public message), advise only, secondary coordinator (assist another lead coordinator). See the [FIRST CSIRT Services Framework](https://www.first.org/standards/frameworks/csirts/csirt_services_framework_v2.1#7-Service-Area-Vulnerability-Management) for additional vulnerability management services a coordinator may provide. - ## Coordinator Triage Decision Points !!! tip inline end "Prior CERT/CC Work on Prioritizing Coordination Decisions" @@ -68,19 +64,19 @@ In addition to using some of the decision points common to [Suppliers](supplier_ The first two function as gating questions: - [Report Public](../reference/decision_points/report_public.md): If a report is already public, then CERT/CC will decline the case unless there are multiple suppliers, [*super effective*](../reference/decision_points/system_exposure.md) [Utility](../reference/decision_points/utility.md), and [*significant*](../reference/decision_points/public_safety_impact.md) [Public Safety Impact](../reference/decision_points/public_safety_impact.md). -- [Supplier Contacted](../reference/decision_points/supplier_contacted.md): If no suppliers have been contacted, then CERT/CC will decline the case unless there are multiple suppliers, [*super effective*](../reference/decision_points/system_exposure.md) [Utility](../reference/decision_points/utility.md), and [*significant*](../reference/decision_points/public_safety_impact.md) [Public Safety Impact](../reference/decision_points/public_safety_impact.md). +- [Supplier Contacted](../reference/decision_points/supplier_contacted.md): If no suppliers have been contacted, then CERT/CC will decline the case unless there are multiple suppliers, [*super effective*](../reference/decision_points/system_exposure.md) [Utility](../reference/decision_points/utility.md), and [*significant*](../reference/decision_points/public_safety_impact.md) [Public Safety Impact](../reference/decision_points/public_safety_impact.md). In this case, CERT/CC may encourage the reporter to contact the supplier and submit a new case request if the supplier is unresponsive. -These two sets of exceptional circumstances mean that the seven decision points involved in the coordination triage +These two sets of exceptional circumstances mean that the seven decision points involved in the coordination triage tree can be compressed slightly, as the decision model below shows. The remaining five decision points are: - [Report Credibility](../reference/decision_points/report_credibility.md): If the report is not credible, then CERT/CC will decline the case. -- [Supplier Cardinality](../reference/decision_points/supplier_cardinality.md): Cases involving multiple suppliers can get complicated very quickly, so we are more likely to get involved in those cases. +- [Supplier Cardinality](../reference/decision_points/supplier_cardinality.md): Cases involving multiple suppliers can get complicated very quickly, so we are more likely to get involved in those cases. - [Supplier Engagement](../reference/decision_points/supplier_engagement.md): If the suppliers are already engaged in a case, there is usually less for a coordinator to do, making it less likely that we will coordinate a case. - [Utility](../reference/decision_points/utility.md): If the vulnerability has high utility, then CERT/CC is more likely to coordinate the case. -- [Public Safety Impact](../reference/decision_points/public_safety_impact.md): If the vulnerability has significant +- [Public Safety Impact](../reference/decision_points/public_safety_impact.md): If the vulnerability has significant public safety impact, then CERT/CC is more likely to coordinate the case. More detail about each of these decision points is provided at the links above, here we provide a brief summary of each. diff --git a/docs/howto/deployer_tree.md b/docs/howto/deployer_tree.md index e6683150..961a475e 100644 --- a/docs/howto/deployer_tree.md +++ b/docs/howto/deployer_tree.md @@ -18,7 +18,7 @@ in their infrastructure. Deployers are usually in the position of receiving remediations or mitigations from their [Suppliers](supplier_tree.md) for products they have deployed. They must then decide whether to deploy the remediation or mitigation to a particular instance (or not). -Whether they have the option of deploying only part of a remediation such as a fix bundle depends on whether the +Whether they have the option of deploying only part of a remediation such as a fix bundle depends on whether the Supplier has engineered their release process to permit that degree of flexibility. For example, if service packs are fix bundles, the Supplier might choose to release individually deployable fixes as well. @@ -35,12 +35,11 @@ The vulnerability management process for deployers has at its core the collation The first must be collected by the Deployer, while the latter two most often originate from the product Supplier. Managing this information is generally called **asset management**. - -In turn, Deployers must resolve this information into specific actions in which a remediation or mitigation is slated +In turn, Deployers must resolve this information into specific actions in which a remediation or mitigation is slated for deployment to replace or modify a particular instance of the product. -The Deployer model described below considers the mission and safety risks inherent to the category of systems to which those +The Deployer model described below considers the mission and safety risks inherent to the category of systems to which those deployed instances belong. -For this reason, we recommend that the pairing of remediation or mitigation to a product version instance constitutes +For this reason, we recommend that the pairing of remediation or mitigation to a product version instance constitutes the unit of work most appropriate for the Deployer. ## Deployer Decision Outcomes @@ -58,16 +57,15 @@ While we've used the same priority names, the meaning of the priority may have d | Out-of-cycle | Act more quickly than usual to apply the mitigation or remediation out-of-cycle, during the next available opportunity, working overtime if necessary. | | Immediate | Act immediately; focus all resources on applying the fix as quickly as possible, including, if necessary, pausing regular organization operations. | - -When remediation is available, usually the action is to apply it. +When remediation is available, usually the action is to apply it. When remediation is not yet available, the action space is more diverse, but it should involve mitigating the vulnerability (e.g., shutting down services or applying additional security controls) or accepting the risk of not mitigating the vulnerability. -Applying mitigations may change the value of decision points. -A mitigation that successfully changes the value of a decision point may shift the priority of further action to a -reduced state. -If applying a mitigation reduces the priority to *defer*, the deployer may not need to apply a remediation if it later -becomes available. +Applying mitigations may change the value of decision points. +A mitigation that successfully changes the value of a decision point may shift the priority of further action to a +reduced state. +If applying a mitigation reduces the priority to *defer*, the deployer may not need to apply a remediation if it later +becomes available. !!! example "Mitigation Examples" @@ -125,7 +123,7 @@ for dp in [EXP, SE, U, HI]: print(example_block(dp)) ``` -In the _Human Impact_ table above, *MEF* stands for Mission Essential Function. +In the *Human Impact* table above, *MEF* stands for Mission Essential Function. ## Deployer Decision Model @@ -138,7 +136,6 @@ Below we provide an example deployer prioritization policy that maps the decisio - An [_active_](../reference/decision_points/exploitation.md) state of [*Exploitation*](../reference/decision_points/exploitation.md) will never result in a *defer* priority. - A [_none_](../reference/decision_points/exploitation.md) state of [*Exploitation*](../reference/decision_points/exploitation.md) (no evidence of exploitation) will result in either *defer* or *scheduled* priority—unless the state of [*Human Impact*](../reference/decision_points/human_impact.md) is [_very high_](../reference/decision_points/human_impact.md), resulting in an *out-of-cycle* priority. - {% include-markdown "../_includes/_tree_notation_tip.md" %} -{{ read_csv('deployer-options.csv') }} \ No newline at end of file +{{ read_csv('deployer-options.csv') }} diff --git a/docs/howto/index.md b/docs/howto/index.md index b3331037..17946887 100644 --- a/docs/howto/index.md +++ b/docs/howto/index.md @@ -31,7 +31,7 @@ At its core are the concepts of: - [**Stakeholder Roles**](../topics/enumerating_stakeholders.md): Different participants in the vulnerability response process have different needs and priorities. Roles can include patch suppliers, deployers, coordinators, and others. - [**Decisions**](../topics/enumerating_decisions.md): Each stakeholder role has a set of decisions to make about how to respond to vulnerabilities. - For a supplier, the decision might be about how to prioritize the creation of patches. For a deployer, the + For a supplier, the decision might be about how to prioritize the creation of patches. For a deployer, the decision might be about how to prioritize the deployment of patches. Coordinators usually need to decide whether to coordinate a response, and whether to publish information about a vulnerability they've coordinated. - [**Decision Points**](../reference/decision_points/index.md): Each decision is made based on a set of inputs, or decision points. These are the factors @@ -41,18 +41,18 @@ At its core are the concepts of: For example, a decision about whether to deploy a patch might have outcomes like "immediate", "scheduled", "deferred", and "out-of-cycle". -Given these concepts, we can combine them into decision models to help stakeholders make decisions about the priority +Given these concepts, we can combine them into decision models to help stakeholders make decisions about the priority with which to act. The definition of choices can take a logical form, such as: - - IF - - - ([*Exploitation*](../reference/decision_points/exploitation.md) IS *Public PoC*) AND - - ([*System Exposure*](../reference/decision_points/system_exposure.md) IS *controlled*) AND - - ([*Automatable*](../reference/decision_points/automatable.md) IS *no*) AND - - ([*Human Impact*](../reference/decision_points/human_impact.md) IS *medium*) +- IF + + - ([*Exploitation*](../reference/decision_points/exploitation.md) IS *Public PoC*) AND + - ([*System Exposure*](../reference/decision_points/system_exposure.md) IS *controlled*) AND + - ([*Automatable*](../reference/decision_points/automatable.md) IS *no*) AND + - ([*Human Impact*](../reference/decision_points/human_impact.md) IS *medium*) - - THEN priority is *scheduled*. +- THEN priority is *scheduled*. This example logical statement is captured in [row 34 of the deployer `.csv` file](https://github.com/CERTCC/SSVC/blob/main/data/csvs/deployer-options.csv#L35). diff --git a/docs/howto/publication_decision.md b/docs/howto/publication_decision.md index f727af0b..1673302a 100644 --- a/docs/howto/publication_decision.md +++ b/docs/howto/publication_decision.md @@ -11,7 +11,6 @@ While other stakeholders may also have to make a publication decision, here we f the combination of the stakeholder and the decision being modeled. In this case, the stakeholder is the **Coordinator** and the decision is **whether to publish an advisory about the vulnerability**. - ## Policy Constraints and Publication Decisions !!! tip inline end "Other Stakeholders' Publication Decisions" @@ -22,7 +21,7 @@ While other stakeholders may also have to make a publication decision, here we f A vulnerability finder may have to decide whether to publish information about a vulnerability they have discovered. Each of these decisions is likely to be different from the coordinator's decision. -The decision to publish information about a vulnerability is a policy choice, and is likely to differ from organization +The decision to publish information about a vulnerability is a policy choice, and is likely to differ from organization to organization. Two points where CERT/CC policy clearly influences the publication decision are embargo periods and scope. @@ -30,9 +29,9 @@ Two points where CERT/CC policy clearly influences the publication decision are As a matter of policy, CERT/CC will support an embargo from the public of information about a vulnerability through its choice not to publish that information while a number of conditions hold: - - - A negotiated embargo timer has not expired. The CERT/CC default embargo period is [45 days](https://certcc.github.io/CERT-Guide-to-CVD/reference/certcc_disclosure_policy/). - - Other exceptions have not been met, including active exploitation of the vulnerability in the wild or other public + +- A negotiated embargo timer has not expired. The CERT/CC default embargo period is [45 days](https://certcc.github.io/CERT-Guide-to-CVD/reference/certcc_disclosure_policy/). +- Other exceptions have not been met, including active exploitation of the vulnerability in the wild or other public discussion of the vulnerability details. Regardless, the decision described in this section assumes the embargo period is over, one way or another. @@ -43,11 +42,9 @@ The second point is related to the [Coordination Triage Decision](coordination_t CERT/CC only expects to publish about vulnerabilities with a [*coordinate*](coordination_triage_decision.md) status. While an issue that is tracked or declined may be reevaluated at a later date and status changed to [*coordinate*](coordination_triage_decision.md), unless that happens we would not publish about the vulnerability. -Other organizations, such as [NVD](https://nvd.nist.gov/), would have different publication criteria and may want to include decision +Other organizations, such as [NVD](https://nvd.nist.gov/), would have different publication criteria and may want to include decision points or the decision itself from the [Coordination Triage Decision](coordination_triage_decision.md) in their publication decision. - - ## Coordinator Publication Units of Work !!! info inline end "Coordinator Publication Unit of Work" @@ -57,11 +54,11 @@ points or the decision itself from the [Coordination Triage Decision](coordinati In the CERT/CC's vulnerability coordination practice, a single report leads to a single coordination case which leads to a single publication. Therefore the unit of work for the publication decision is often the same as the unit of work for the -[coordination triage decision](coordination_triage_decision.md). +[coordination triage decision](coordination_triage_decision.md). -That is sometimes not the case, however. For example, there could be multiple reports of multiple vulnerabilities and -the coordinator might choose to publish a single advisory covering all of them if the vulnerabilities are variations on -a central theme and have a common set of affected products. +That is sometimes not the case, however. For example, there could be multiple reports of multiple vulnerabilities and +the coordinator might choose to publish a single advisory covering all of them if the vulnerabilities are variations on +a central theme and have a common set of affected products. !!! example "Multiple Reports, Single Advisory" @@ -74,7 +71,7 @@ a central theme and have a common set of affected products. Another possibility is that a single report could lead to multiple advisories, for example if the product is a library that is used in multiple other products, and the coordinator chooses to publish separate advisories -based on some other criteria. +based on some other criteria. !!! example "Single Report, Multiple Advisories" @@ -122,17 +119,16 @@ For the CERT/CC, the publication decision is binary: publish or do not publish. a single decision with multiple outcomes, each of which would lead to a different publication vehicle. This is an example of how SSVC can be customized to the needs of the organization using it. - ## Coordinator Publication Decision Points -The publication decision reuses the [*Exploitation*](../reference/decision_points/exploitation.md) decision point -and adds two new ones ([*Supplier Involvement*](../reference/decision_points/supplier_involvement.md) and +The publication decision reuses the [*Exploitation*](../reference/decision_points/exploitation.md) decision point +and adds two new ones ([*Supplier Involvement*](../reference/decision_points/supplier_involvement.md) and [*Public Value Added*](../reference/decision_points/public_value_added.md)). - [*Supplier Involvement*](../reference/decision_points/supplier_involvement.md) - If the supplier is involved and likely to publish already, there is less need for the CERT/CC to publish. - [*Exploitation*](../reference/decision_points/exploitation.md) - If the vulnerability is being actively exploited, the CERT/CC is more likely to publish. - [*Public Value Added*](../reference/decision_points/public_value_added.md) - If there is already significant public discussion of the vulnerability, there might not be - much for the CERT/CC to add, making us less likely to publish. + much for the CERT/CC to add, making us less likely to publish. More detail about each of these decision points is provided at the links above, here we provide a brief summary of each. @@ -149,7 +145,7 @@ for dp in [SI, EXP, PVA]: ## Coordinator Publication Decision Model -An example coordinator publication decision model is shown below. The policy described by the model is based on CERT/CC +An example coordinator publication decision model is shown below. The policy described by the model is based on CERT/CC publication decisions. Other organizations may have different publication criteria and may want to include other decision points in their publication decision model. @@ -157,7 +153,6 @@ in their publication decision model. style="width: 100%;" height = "600" /> - |precedence| p25 va9 -->|ampliative| p26 va9 -->|limited| p27 + ``` --> @@ -274,4 +270,3 @@ flowchart LR {{ read_csv('coord-publish-options.csv') }} - diff --git a/docs/howto/supplier_tree.md b/docs/howto/supplier_tree.md index fc165e57..e714e907 100644 --- a/docs/howto/supplier_tree.md +++ b/docs/howto/supplier_tree.md @@ -43,11 +43,11 @@ Suppliers may also produce mitigations, such as recommended configuration change ## Supplier Decision Outcomes -At a basic level, the decision at a software development organization is whether to issue a work order and what +At a basic level, the decision at a software development organization is whether to issue a work order and what resources to expend to remediate a vulnerability in the organization’s software. Prioritization is required because, at least in the current history of software engineering, the effort to patch all known vulnerabilities will exceed available resources. -The organization considers several other factors to build the patch; refactoring a large portion of the code base may +The organization considers several other factors to build the patch; refactoring a large portion of the code base may be necessary for some patches, while others require relatively small changes. We focus only on the priority of building the patch, and we consider four categories of priority, as outlined in the table below. @@ -90,13 +90,12 @@ for dp in [EXP, U, TI, PSI]: ## Supplier Decision Model -The example supplier decision model below shows a prioritization policy for the supplier. -We display the decision model as a decision tree, which provides a compact representation of the policy, +The example supplier decision model below shows a prioritization policy for the supplier. +We display the decision model as a decision tree, which provides a compact representation of the policy, showing the relative priority of different situations. {% include-markdown "../_includes/_tree_notation_tip.md" %} - diff --git a/docs/howto/tree_customization.md b/docs/howto/tree_customization.md index 35016ecd..5c4ebe68 100644 --- a/docs/howto/tree_customization.md +++ b/docs/howto/tree_customization.md @@ -15,7 +15,7 @@ A stakeholder community may come together and, if there is broad consensus, add ## Customizing a Decision Model -Which decision points are involved in a vulnerability management team's +Which decision points are involved in a vulnerability management team's decision and the priority label for each resulting situation are, for all intents and purposes, totally at the discretion of the team. We have provided some examples for different stakeholder communities here. What decision points a team considers reflects what it cares about and the risks prioritizes. @@ -27,7 +27,7 @@ The other aspect of risk management that SSVC allows a team to customize is its A team's risk appetite is reflected directly by the priority labels for each combination of decision values. For example, a vulnerability with -[no or minor](../reference/decision_points/public_safety_impact.md) +[no or minor](../reference/decision_points/public_safety_impact.md) [*Public Safety Impact*](../reference/decision_points/public_safety_impact.md), [total](../reference/decision_points/technical_impact.md) [*Technical Impact*](../reference/decision_points/technical_impact.md), @@ -57,10 +57,11 @@ To that end, we briefly examine the qualities for which decision tree measuremen ## Decision Tree Construction Concerns -Decision tree construction methods must address five significant concerns: -- feature selection -- feature type -- overfitting +Decision tree construction methods must address five significant concerns: + +- feature selection +- feature type +- overfitting - parsimony - versioning @@ -87,7 +88,7 @@ The use of ordinal features is a key assumption behind our use of the parsimony When decision trees are used in a machine learning context, overfitting increases tree complexity by incorporating the noise in the training data set into the decision points in a tree. In our case, our “data” is just the set of outcomes as decided by humans, so overfitting is less of a concern, assuming the feature selection has been done with care. -### Parsimony +### Parsimony Parsimony is, in essence, Occam's Razor applied to tree selection. Given the choice between two trees that have identical outputs, one should choose the tree with fewer decisions. One way to evaluate the parsimony of a tree is by applying the concept of feature importance to ensure that each feature is contributing adequately to the result. @@ -106,9 +107,11 @@ More likely, however, is that some subset of features will be of relatively equa In this case, the lowest importance feature should be considered for refinement or elimination. It is possible that adjusting the definition of a feature or its available values (whether redefining, adding, or removing options) could increase its importance. Reasons to retain a low-importance feature include: -* the feature is relevant to a small set of important circumstances that a tree without the feature would otherwise be unable to discriminate -* the effort required to determine the correct value for the feature is relatively small, for example information that might be collected automatically -* the feature enables other features to be defined more clearly + +- the feature is relevant to a small set of important circumstances that a tree without the feature would otherwise be unable to discriminate +- the effort required to determine the correct value for the feature is relatively small, for example information that might be collected automatically +- the feature enables other features to be defined more clearly + Features that meet none of the above criteria may be good candidates for elimination. Customizing a tree by changing the outcome priority labels can also affect the importance of a feature. @@ -126,12 +129,14 @@ SSVC trees should be identifiable by name and version. A tree name is simply a s Communities of shared interest may desire to share information about decision points or even create custom trees to share within their community. Examples include: + - an Information Sharing and Analysis Organization (ISAO) within a critical infrastructure sector might want to define a custom decision point relevant to their constituents' regulatory compliance. - a corporate Computer Security Incident Response Team (CSIRT) might choose to adjust decision priorities for an existing tree for use by its subsidiaries. - a government department might define a separate tree using existing decision points to address a particular governance process within their constituent agencies. -- a regional coordinator might want to produce decision point information as a product of its threat analysis work and provide this information to its constituency in an advisory. +- a regional coordinator might want to produce decision point information as a product of its threat analysis work and provide this information to its constituency in an advisory. In these and other scenarios, there are two scopes to consider: + 1. Decision Point Scope 2. Decision Tree Scope @@ -139,19 +144,21 @@ In these and other scenarios, there are two scopes to consider: Each decision point defined in this document has a characteristic scope, either *stakeholder-agnostic* or *stakeholder-specific*. -- **Stakeholder-agnostic decision points** describe the state of the world outside the stakeholder's environment. +- **Stakeholder-agnostic decision points** describe the state of the world outside the stakeholder's environment. One might think of them as global facts that form the background context in which the stakeholder is making a prioritization decision. -Nearly all stakeholders should agree on the assignment of specific values to these decision points. +Nearly all stakeholders should agree on the assignment of specific values to these decision points. - **Stakeholder-specific decision points** are expected to be contextual to some set of stakeholders. Information about a stakeholder-specific decision point can still be inherited by other stakeholders using the same tree. For example in the corporate CSIRT scenario above, the [*System Exposure*](../reference/decision_points/system_exposure.md) value might be consistent across all subsidiaries for a centrally managed service. We generally consider the following decision points to be *stakeholder-agnostic*: + - [*Exploitation*](../reference/decision_points/exploitation.md) - [*Technical Impact*](../reference/decision_points/technical_impact.md) - [*Automatable*](../reference/decision_points/automatable.md) On the contrary, we consider the following decision points to be *stakeholder-specific*: + - [*Value Density*](../reference/decision_points/value_density.md) - [Utility](../reference/decision_points/utility.md) - [*Safety Impact*](../reference/decision_points/safety_impact.md) @@ -163,13 +170,14 @@ On the contrary, we consider the following decision points to be *stakeholder-sp We anticipate that most custom decision points created by stakeholders for themselves or a constituency will be of the *stakeholder-specific* variety. Examples of these sorts of custom decision points include + - A decision point indicating whether a system or mission context is affected by regulatory oversight that might alter the decision priority. E.g., a healthcare-focused ISAO might define a decision point about whether a vulnerability affects patient data privacy protection. - A decision point that incorporates the concept of change risk to a deployer. E.g., a financial institution might have a very low tolerance for changes to a transaction clearing system. - A decision point that indicates whether the affected software belongs to a list of critical software for a specific constituency. E.g., an open-source consortium might want to prioritize fix development for a set of key projects. - + ### Decision Tree Scope Two kinds of modifications are possible at the decision tree level. @@ -178,7 +186,7 @@ Two kinds of modifications are possible at the decision tree level. For example, an organization with sufficient resources to efficiently deploy fixes might choose to defer fewer cases than the default tree would recommend. - *Tree Customization* can be done in one of three ways: 1. incorporating an already-defined decision point into an existing tree that does not already contain it. - 2. defining a new decision point and adding it to an existing tree. + 2. defining a new decision point and adding it to an existing tree. Note that adding or removing an option from an existing decision point should be treated as creating a new decision point. The new decision point should be given a distinct name as well. 3. defining a new tree entirely from existing or new decision points. @@ -188,4 +196,3 @@ Because tree customization changes the tree structure and implies the addition o Risk-shifted or customized trees can be shared among a community of interest, of course. Further customization within each stakeholder remains an option as well, although there is likely a diminishing return on more than a few layers of customization for the same basic decision. Of course, SSVC users might choose to construct other trees to inform other decisions. - diff --git a/docs/index.md b/docs/index.md index c6faf6d3..8713f65b 100644 --- a/docs/index.md +++ b/docs/index.md @@ -1,17 +1,16 @@ # Stakeholder-Specific Vulnerability Categorization -SSVC stands for A Stakeholder-Specific Vulnerability Categorization. +SSVC stands for A Stakeholder-Specific Vulnerability Categorization. It is a methodology for prioritizing vulnerabilities based on the needs of the stakeholders involved in the vulnerability management process. SSVC is designed to be used by any stakeholder in the vulnerability management process, including finders, vendors, coordinators, deployers, and others. - ## Where to go from here We have organized the SSVC documentation into four main sections:
-- :material-television-shimmer:{ .lg .middle } __Get Started with SSVC__ +- :material-television-shimmer:{ .lg .middle } **Get Started with SSVC** --- @@ -20,7 +19,7 @@ We have organized the SSVC documentation into four main sections: [:octicons-arrow-right-24: Learning SSVC](tutorials/index.md) -- :material-clipboard-check:{ .lg .middle } __SSVC How To__ +- :material-clipboard-check:{ .lg .middle } **SSVC How To** --- @@ -29,7 +28,7 @@ We have organized the SSVC documentation into four main sections: [:octicons-arrow-right-24: SSVC How To](howto/index.md) -- :fontawesome-solid-book:{ .lg .middle } __Learn More about SSVC__ +- :fontawesome-solid-book:{ .lg .middle } **Learn More about SSVC** --- @@ -38,7 +37,7 @@ We have organized the SSVC documentation into four main sections: [:octicons-arrow-right-24: Understanding SSVC](topics/index.md) -- :material-book-open-page-variant:{ .lg .middle } __SSVC Reference__ +- :material-book-open-page-variant:{ .lg .middle } **SSVC Reference** --- @@ -49,5 +48,4 @@ We have organized the SSVC documentation into four main sections:
- {% include-markdown "_includes/helping_out.md" heading-offset=1 %} diff --git a/docs/reference/code/analyze_csv.md b/docs/reference/code/analyze_csv.md index 1f47e1ab..8bee1a2c 100644 --- a/docs/reference/code/analyze_csv.md +++ b/docs/reference/code/analyze_csv.md @@ -1,4 +1,3 @@ # SSVC CSV Analyzer ::: ssvc.csv_analyzer - diff --git a/docs/reference/code/doctools.md b/docs/reference/code/doctools.md index edd3b5e0..a589b962 100644 --- a/docs/reference/code/doctools.md +++ b/docs/reference/code/doctools.md @@ -1,4 +1,3 @@ # Doctools ::: ssvc.doctools - diff --git a/docs/reference/code/index.md b/docs/reference/code/index.md index 726664c0..8f2f47ad 100644 --- a/docs/reference/code/index.md +++ b/docs/reference/code/index.md @@ -6,4 +6,4 @@ These include: - [CSV Analyzer](analyze_csv.md) - [Policy Generator](policy_generator.md) - [Outcomes](outcomes.md) -- [Doctools](doctools.md) \ No newline at end of file +- [Doctools](doctools.md) diff --git a/docs/reference/code/policy_generator.md b/docs/reference/code/policy_generator.md index fa6e8477..4520599f 100644 --- a/docs/reference/code/policy_generator.md +++ b/docs/reference/code/policy_generator.md @@ -5,5 +5,4 @@ policy (a decision tree) from a set of input parameters. It is intended to be used as a library, for example within a Jupyter notebook. - -::: ssvc.policy_generator \ No newline at end of file +::: ssvc.policy_generator diff --git a/docs/reference/decision_points/automatable.md b/docs/reference/decision_points/automatable.md index 171c7cbb..f3b1cedd 100644 --- a/docs/reference/decision_points/automatable.md +++ b/docs/reference/decision_points/automatable.md @@ -1,6 +1,5 @@ # Automatable - ```python exec="true" idprefix="" from ssvc.decision_points.automatable import LATEST from ssvc.doc_helpers import example_block @@ -8,13 +7,11 @@ from ssvc.doc_helpers import example_block print(example_block(LATEST)) ``` - !!! tip "See also" Automatable combines with [Value Density](./value_density.md) to inform [Utility](./utility.md) - *Automatable* captures the answer to the question “Can an attacker reliably automate creating exploitation events for this vulnerability?” !!! question "What are Steps 1-4 of the Kill Chain?" @@ -29,13 +26,11 @@ print(example_block(LATEST)) 2. weaponization may require human direction for each target 3. delivery may require channels that widely deployed network security configurations block 4. exploitation is not reliable, due to exploit-prevention techniques (e.g., ASLR) enabled by default - !!! question "When is Automatable *yes*?" If the vulnerability allows remote code execution or command injection, the expected response should be yes. - Due to vulnerability chaining, there is some nuance as to whether reconnaissance can be automated. !!! example "Vulnerability Chaining" @@ -78,4 +73,3 @@ for version in versions: *Virulence* is superseded by *Automatable*, which clarified the concept we we were attempting to capture. - \ No newline at end of file diff --git a/docs/reference/decision_points/compound_decision_points.md b/docs/reference/decision_points/compound_decision_points.md index cca71dfe..43f0e385 100644 --- a/docs/reference/decision_points/compound_decision_points.md +++ b/docs/reference/decision_points/compound_decision_points.md @@ -7,4 +7,3 @@ Examples of compound decision points include: - [Human Impact](human_impact.md) - [Public Safety Impact](public_safety_impact.md) - [Utility](utility.md) - diff --git a/docs/reference/decision_points/exploitation.md b/docs/reference/decision_points/exploitation.md index bed76396..478d4033 100644 --- a/docs/reference/decision_points/exploitation.md +++ b/docs/reference/decision_points/exploitation.md @@ -1,5 +1,4 @@ -# Exploitation - +# Exploitation ```python exec="true" idprefix="" from ssvc.decision_points.exploitation import LATEST @@ -36,10 +35,8 @@ The intent of this measure is the present state of exploitation of the vulnerabi ## CWE-IDs for *PoC* - The table below lists CWE-IDs that could be used to mark a vulnerability as *PoC* if the vulnerability is described by the CWE-ID. - !!! example "CWE-295" For example, [CWE-295 Improper Certificate Validation diff --git a/docs/reference/decision_points/human_impact.md b/docs/reference/decision_points/human_impact.md index 7f970a6b..04057d11 100644 --- a/docs/reference/decision_points/human_impact.md +++ b/docs/reference/decision_points/human_impact.md @@ -15,7 +15,7 @@ print(example_block(LATEST)) Note: This is a compound decision point[^1], therefore it is a notational convenience. *Human Impact* is a combination of how a vulnerability can affect an organization's mission essential functions as well as -safety considerations, whether for the organization's personnel or the public at large. +safety considerations, whether for the organization's personnel or the public at large. We observe that the day-to-day operations of an organization often have already built in a degree of tolerance to small-scale variance in mission impacts. Thus in our opinion we need only concern ourselves with discriminating well at the upper end of the scale. Therefore we combine the two lesser mission impacts of degraded and MEF support crippled into a single category, while retaining the distinction between MEF Failure and Mission Failure at the extreme. @@ -30,10 +30,9 @@ The mapping is shown in the table above. [^1]: In pilot implementations of SSVC, we received feedback that organizations tend to think of mission and safety impacts as if they were combined into a single factor: in other words, the priority increases regardless which of the two impact factors was increased. We therefore combine [Safety Impact](safety_impact.md) and -[Mission Impact](mission_impact.md) for deployers into a single _Human Impact_ factor +[Mission Impact](mission_impact.md) for deployers into a single *Human Impact* factor as a dimension reduction step. - ## Safety and Mission Impact Decision Points for Industry Sectors We expect to encounter diversity in both safety and mission impacts across different organizations. @@ -45,7 +44,6 @@ provide SSVC information tailored as appropriate to their constituency's safety For considerations on how organizations might communicate SSVC information to their constituents, see [Guidance on Communicating Results](../../howto/bootstrap/use.md). - ## Prior Versions ```python exec="true" idprefix="" diff --git a/docs/reference/decision_points/index.md b/docs/reference/decision_points/index.md index ec64f9a7..1f002796 100644 --- a/docs/reference/decision_points/index.md +++ b/docs/reference/decision_points/index.md @@ -41,7 +41,7 @@ decision points. Sometimes this is a "better" or "worse" dimension, but it seems to generalize to a "more likely to act" or "less likely to act" of dimension. -!!! question "Where are the _Unknown_ options?" +!!! question "Where are the *Unknown* options?" One important omission from the values for each category is an *unknown* option. Instead, we recommend explicitly identifying an option that is a reasonable assumption based on prior events. diff --git a/docs/reference/decision_points/mission_impact.md b/docs/reference/decision_points/mission_impact.md index 9af10310..f4aa3a48 100644 --- a/docs/reference/decision_points/mission_impact.md +++ b/docs/reference/decision_points/mission_impact.md @@ -12,31 +12,30 @@ print(example_block(LATEST)) Mission Impact combines with [Safety Impact](./safety_impact.md) to inform [Human Impact](./human_impact.md) -A **mission essential function (MEF)** is a function “directly related to accomplishing the organization’s mission as set forth in its statutory or executive charter” [@FCD2_2017, page A-1]. -Identification and prioritization of mission essential functions enables effective continuity planning or crisis planning. +A **mission essential function (MEF)** is a function “directly related to accomplishing the organization’s mission as set forth in its statutory or executive charter” [@FCD2_2017, page A-1]. +Identification and prioritization of mission essential functions enables effective continuity planning or crisis planning. Mission Essential Functions are in effect critical activities within an organization that are used to identify key assets, supporting tasks, and resources that an organization requires to remain operational in a crises situation, and so must be included in its planning process. During an event, key resources may be limited and personnel may be unavailable, so organizations must consider these factors and validate assumptions when identifying, validating, and prioritizing MEFs. -When reviewing the list of organizational functions, an organization must first identify whether a function is essential or non-essential. -The distinction between these two categories is whether or not an organization must perform a function during a disruption to normal operations and must continue performance during emergencies [@FCD2_2017, page B-2]. +When reviewing the list of organizational functions, an organization must first identify whether a function is essential or non-essential. +The distinction between these two categories is whether or not an organization must perform a function during a disruption to normal operations and must continue performance during emergencies [@FCD2_2017, page B-2]. Essential functions are both important and urgent. Functions that can be deferred until after an emergency are identified as non-essential. For example, DoD defines MEFs in [DoD Directive 3020.26 DoD Continuity Policy](https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodd/302026p.pdf) using similar terminology to [FCD-2](https://www.fema.gov/sites/default/files/2020-07/Federal_Continuity_Directive-2_June132017.pdf) [@dod3026_26_2018]. -As mission essential functions are most clearly defined for government agencies, stakeholders in other sectors may be familiar with different terms of art from continuity planning. -For example, infrastructure providers in the US may better align with [National Critical Functions](https://www.cisa.gov/national-critical-functions). -Private sector businesses may better align with [operational and financial impacts](https://www.ready.gov/sites/default/files/2020-03/business-impact-analysis-worksheet.pdf) in a [business continuity plan](https://www.ready.gov/business-continuity-plan). +As mission essential functions are most clearly defined for government agencies, stakeholders in other sectors may be familiar with different terms of art from continuity planning. +For example, infrastructure providers in the US may better align with [National Critical Functions](https://www.cisa.gov/national-critical-functions). +Private sector businesses may better align with [operational and financial impacts](https://www.ready.gov/sites/default/files/2020-03/business-impact-analysis-worksheet.pdf) in a [business continuity plan](https://www.ready.gov/business-continuity-plan). While the processes, terminology, and audience for these different frameworks differ, they all can provide a sense of the criticality of an asset or assets within the scope of the stakeholder conducting the cyber vulnerability prioritization with SSVC. -In that sense they all function quite similarly within SSVC. Organizations should use whatever is most appropriate for their stakeholder context, with Mission Essential Function analysis serving as a fully worked example in the SSVC documents. - +In that sense they all function quite similarly within SSVC. Organizations should use whatever is most appropriate for their stakeholder context, with Mission Essential Function analysis serving as a fully worked example in the SSVC documents. ## Gathering Information About Mission Impact -The factors that influence the mission impact level are diverse. -This paper does not exhaustively discuss how a stakeholder should answer a question; that is a topic for future work. -At a minimum, understanding mission impact should include gathering information about the critical paths that involve vulnerable components, viability of contingency measures, and resiliency of the systems that support the mission. -There are various sources of guidance on how to gather this information; see for example the FEMA guidance in Continuity Directive 2 [@FCD2_2017] or OCTAVE FORTE [@tucker2018octave]. +The factors that influence the mission impact level are diverse. +This paper does not exhaustively discuss how a stakeholder should answer a question; that is a topic for future work. +At a minimum, understanding mission impact should include gathering information about the critical paths that involve vulnerable components, viability of contingency measures, and resiliency of the systems that support the mission. +There are various sources of guidance on how to gather this information; see for example the FEMA guidance in Continuity Directive 2 [@FCD2_2017] or OCTAVE FORTE [@tucker2018octave]. This is part of risk management more broadly. It should require the vulnerability management team to interact with more senior management to understand mission priorities and other aspects of risk mitigation. diff --git a/docs/reference/decision_points/public_safety_impact.md b/docs/reference/decision_points/public_safety_impact.md index 9943ddac..5564ac7f 100644 --- a/docs/reference/decision_points/public_safety_impact.md +++ b/docs/reference/decision_points/public_safety_impact.md @@ -16,9 +16,9 @@ This is a compound decision point, therefore it is a notational convenience. Suppliers necessarily have a rather coarse-grained perspective on the broadly defined [Safety Impact](safety_impact.md) Decision Point. Therefore we simplify the above into a binary categorization: -- _Significant_ is when any impact meets the criteria for an impact of Marginal, Critical, or Catastrophic in the +- *Significant* is when any impact meets the criteria for an impact of Marginal, Critical, or Catastrophic in the [Safety Impact](safety_impact.md) table. -- _Minimal_ is when none do. +- *Minimal* is when none do. ## Prior Versions diff --git a/docs/reference/decision_points/public_value_added.md b/docs/reference/decision_points/public_value_added.md index ad5759a9..0284c0da 100644 --- a/docs/reference/decision_points/public_value_added.md +++ b/docs/reference/decision_points/public_value_added.md @@ -7,12 +7,11 @@ from ssvc.doc_helpers import example_block print(example_block(LATEST)) ``` - -The intent of the definition is that one rarely if ever transitions from _limited_ to _ampliative_ or _ampliative_ to _precedence_. -A vulnerability could transition from _precedence_ to _ampliative_ and _ampliative_ to _limited_. +The intent of the definition is that one rarely if ever transitions from *limited* to *ampliative* or *ampliative* to *precedence*. +A vulnerability could transition from *precedence* to *ampliative* and *ampliative* to *limited*. That is, *Public Value Added* should only be downgraded through future iterations or re-evaluations. This directionality is because once other organizations make something public, they cannot effectively un-publish it (it'll be recorded and people will know about it, even if they take down a webpage). -The rare case where *Public Value Added* increases would be if an organization published viable information, but +The rare case where *Public Value Added* increases would be if an organization published viable information, but then published additional misleading or obscuring information at a later time. Then one might go from *limited* to *ampliative* in the interest of pointing to the better information. diff --git a/docs/reference/decision_points/report_credibility.md b/docs/reference/decision_points/report_credibility.md index 647360a1..acce744c 100644 --- a/docs/reference/decision_points/report_credibility.md +++ b/docs/reference/decision_points/report_credibility.md @@ -7,7 +7,6 @@ from ssvc.doc_helpers import example_block print(example_block(LATEST)) ``` - An analyst should start with a presumption of credibility and proceed toward disqualification. The reason for this is that, as a coordinator, occasionally doing a bit of extra work on a bad report is preferable to rejecting legitimate reports. This is essentially stating a preference for false positives over false negatives with respect to credibility determination. @@ -30,35 +29,35 @@ The indicators for or against are not commensurate, and so they cannot be put on If neither of these confirmations are available, then the value of the [*Report Credibility*](#report-credibility) decision point depends on a balancing test among the following indicators. **Indicators *for* Credibility** include: - - - The report is specific about what is affected - - The report provides sufficient detail to reproduce the vulnerability. - - The report describes an attack scenario. - - The report suggests mitigations. - - The report includes proof-of-concept exploit code or steps to reproduce. - - Screenshots and videos, if provided, support the written text of the report and do not replace it. - - The report neither exaggerates nor understates the impact. + +- The report is specific about what is affected +- The report provides sufficient detail to reproduce the vulnerability. +- The report describes an attack scenario. +- The report suggests mitigations. +- The report includes proof-of-concept exploit code or steps to reproduce. +- Screenshots and videos, if provided, support the written text of the report and do not replace it. +- The report neither exaggerates nor understates the impact. **Indicators *against* Credibility** include: - - The report is “spammy” or exploitative (for example, the report is an attempt to upsell the receiver on some product or service). - - The report is vague or ambiguous about which vendors, products, or versions are affected (for example, the report claims that all “cell phones” or “wifi” or “routers” are affected). - - The report is vague or ambiguous about the preconditions necessary to exploit the vulnerability. - - The report is vague or ambiguous about the impact if exploited. - - The report exaggerates the impact if exploited. - - The report makes extraordinary claims without correspondingly extraordinary evidence (for example, the report claims that exploitation could result in catastrophic damage to some critical system without a clear causal connection between the facts presented and the impacts claimed). - - The report is unclear about what the attacker gains by exploiting the vulnerability. What do they get that they didn't already have? For example, an attacker with system privileges can already do lots of bad things, so a report that assumes system privileges as a precondition to exploitation needs to explain what else this gives the attacker. - - The report depends on preconditions that are extremely rare in practice, and lacks adequate evidence for why those preconditions might be expected to occur (for example, the vulnerability is only exposed in certain non-default configurations—unless there is evidence that a community of practice has established a norm of such a non-default setup). - - The report claims dire impact for a trivially found vulnerability. It is not impossible for this to occur, but most products and services that have been around for a while have already had their low-hanging fruit major vulnerabilities picked. One notable exception would be if the reporter applied a completely new method for finding vulnerabilities to discover the subject of the report. - - The report is rambling and is more about a narrative than describing the vulnerability. One description is that the report reads like a food recipe with the obligatory search engine optimization preamble. - - The reporter is known to have submitted low-quality reports in the past. - - The report conspicuously misuses technical terminology. This is evidence that the reporter may not understand what they are talking about. - - The analyst's professional colleagues consider the report to be not credible. - - The report consists of mostly raw tool output. Fuzz testing outputs are not vulnerability reports. - - The report lacks sufficient detail for someone to reproduce the vulnerability. - - The report is just a link to a video or set of images, or lacks written detail while claiming “it's all in the video”. Imagery should support a written description, not replace it. - - The report describes a bug with no discernible security impact. - - The report fails to describe an attack scenario, and none is obvious. +- The report is “spammy” or exploitative (for example, the report is an attempt to upsell the receiver on some product or service). +- The report is vague or ambiguous about which vendors, products, or versions are affected (for example, the report claims that all “cell phones” or “wifi” or “routers” are affected). +- The report is vague or ambiguous about the preconditions necessary to exploit the vulnerability. +- The report is vague or ambiguous about the impact if exploited. +- The report exaggerates the impact if exploited. +- The report makes extraordinary claims without correspondingly extraordinary evidence (for example, the report claims that exploitation could result in catastrophic damage to some critical system without a clear causal connection between the facts presented and the impacts claimed). +- The report is unclear about what the attacker gains by exploiting the vulnerability. What do they get that they didn't already have? For example, an attacker with system privileges can already do lots of bad things, so a report that assumes system privileges as a precondition to exploitation needs to explain what else this gives the attacker. +- The report depends on preconditions that are extremely rare in practice, and lacks adequate evidence for why those preconditions might be expected to occur (for example, the vulnerability is only exposed in certain non-default configurations—unless there is evidence that a community of practice has established a norm of such a non-default setup). +- The report claims dire impact for a trivially found vulnerability. It is not impossible for this to occur, but most products and services that have been around for a while have already had their low-hanging fruit major vulnerabilities picked. One notable exception would be if the reporter applied a completely new method for finding vulnerabilities to discover the subject of the report. +- The report is rambling and is more about a narrative than describing the vulnerability. One description is that the report reads like a food recipe with the obligatory search engine optimization preamble. +- The reporter is known to have submitted low-quality reports in the past. +- The report conspicuously misuses technical terminology. This is evidence that the reporter may not understand what they are talking about. +- The analyst's professional colleagues consider the report to be not credible. +- The report consists of mostly raw tool output. Fuzz testing outputs are not vulnerability reports. +- The report lacks sufficient detail for someone to reproduce the vulnerability. +- The report is just a link to a video or set of images, or lacks written detail while claiming “it's all in the video”. Imagery should support a written description, not replace it. +- The report describes a bug with no discernible security impact. +- The report fails to describe an attack scenario, and none is obvious. We considered adding poor grammar or spelling as an indicator of non-credibility. On further reflection, we do not recommend that poor grammar or spelling be used as an indicator of low report quality, as many reporters may not be native to the coordinator's language. @@ -78,7 +77,5 @@ Furthermore, a report may be factual but not identify any security implications; A coordinator also has a scope defined by their specific constituency and mission. A report can be entirely credible yet remain out of scope for your coordination practice. -Decide what to do about out of scope reports separately, before the vulnerability coordination triage decision begins. +Decide what to do about out of scope reports separately, before the vulnerability coordination triage decision begins. If a report arrives and would be out of scope even if true, there will be no need to proceed with judging its credibility. - - diff --git a/docs/reference/decision_points/safety_impact.md b/docs/reference/decision_points/safety_impact.md index 425dd7a0..1601cde4 100644 --- a/docs/reference/decision_points/safety_impact.md +++ b/docs/reference/decision_points/safety_impact.md @@ -7,7 +7,6 @@ from ssvc.doc_helpers import example_block print(example_block(LATEST)) ``` - !!! tip "See also" - Safety Impact combines with [Mission Impact](./mission_impact.md) to @@ -46,7 +45,7 @@ If the stakeholder is contractually or legally responsible for safe operation of For software used in a wide variety of sectors and deployments, the stakeholder may need to estimate an aggregate safety impact. Aggregation suggests that the stakeholder’s response to this decision point cannot be less than the most severe credible safety impact, but we leave the specific aggregation method or function as a domain-specific extension for future work. -### Gathering Information About Safety Impact +## Gathering Information About Safety Impact The factors that influence the safety impact level are diverse. This paper does not exhaustively discuss how a stakeholder should answer a question; that is a topic for future work. @@ -58,7 +57,6 @@ The decision values for safety impact are based on the hazard categories for air To assign a value to [*Safety Impact*](safety_impact.md), at least one type of harm must reach that value. For example, for a [*Safety Impact*](safety_impact.md) of [*major*](safety_impact.md), at least one type of harm must reach [*major*](safety_impact.md) level. All types of harm do not need to rise to the level of [*major*](safety_impact.md), just one type of harm does. - - ### Situated Safety Impact Deployers are anticipated to have a more fine-grained perspective on the safety impacts broadly defined in *Safety Impact*. We defer this topic for now because we combine it with [*Mission Impact*](mission_impact.md) to simplify implementation for deployers. - ## Prior Versions ```python exec="true" idprefix="" @@ -229,4 +225,3 @@ for version in versions: print(example_block(version)) print("\n---\n") ``` - diff --git a/docs/reference/decision_points/supplier_contacted.md b/docs/reference/decision_points/supplier_contacted.md index def0c2b6..f75e1615 100644 --- a/docs/reference/decision_points/supplier_contacted.md +++ b/docs/reference/decision_points/supplier_contacted.md @@ -7,9 +7,6 @@ from ssvc.doc_helpers import example_block print(example_block(LATEST)) ``` - !!! tip "Quality Contact Method" A quality contact method is a publicly posted known good email address, public portal on vendor website, etc. - - diff --git a/docs/reference/decision_points/system_exposure.md b/docs/reference/decision_points/system_exposure.md index 4595895b..9a2f52dd 100644 --- a/docs/reference/decision_points/system_exposure.md +++ b/docs/reference/decision_points/system_exposure.md @@ -7,7 +7,6 @@ from ssvc.doc_helpers import example_block print(example_block(LATEST)) ``` - Measuring the attack surface precisely is difficult, and we do not propose to perfectly delineate between small and controlled access. Exposure should be judged against the system in its deployed context, which may differ from how it is commonly expected to be deployed. For example, the exposure of a device on a vehicle's CAN bus will vary depending on the presence of a cellular telemetry device on the same bus. @@ -18,7 +17,6 @@ Therefore, a deployer’s response to Exposure may change if such mitigations ar If a mitigation changes exposure and thereby reduces the priority of a vulnerability, that mitigation can be considered a success. Whether that mitigation allows the deployer to defer further action varies according to each case. - ## Gathering Information About System Exposure *System Exposure* is primarily used by Deployers, so the question is about whether some specific system is in fact exposed, not a hypothetical or aggregate question about systems of that type. @@ -32,13 +30,14 @@ An analyst should also choose *open* for a phone or PC that connects to the web Distinguishing between *small* and *controlled* is more nuanced. If *open* has been ruled out, some suggested heuristics for differentiating the other two are as follows. Apply these heuristics in order and stop when one of them applies. - - If the system's networking and communication interfaces have been physically removed or disabled, choose *small*. - - If [*Automatable*](automatable.md) is [*yes*](automatable.md), then choose *controlled*. The reasoning behind this heuristic is that if reconnaissance through exploitation is automatable, then the usual deployment scenario exposes the system sufficiently that access can be automated, which contradicts the expectations of *small*. - - If the vulnerable component is on a network where other hosts can browse the web or receive email, choose *controlled*. - - If the vulnerable component is in a third party library that is unreachable because the feature is unused in the surrounding product, choose *small*. + +- If the system's networking and communication interfaces have been physically removed or disabled, choose *small*. +- If [*Automatable*](automatable.md) is [*yes*](automatable.md), then choose *controlled*. The reasoning behind this heuristic is that if reconnaissance through exploitation is automatable, then the usual deployment scenario exposes the system sufficiently that access can be automated, which contradicts the expectations of *small*. +- If the vulnerable component is on a network where other hosts can browse the web or receive email, choose *controlled*. +- If the vulnerable component is in a third party library that is unreachable because the feature is unused in the surrounding product, choose *small*. The unreachable vulnerable component scenario may be a point of concern for stakeholders like patch suppliers who often find it more cost-effective to simply update the included library to an existing fixed version rather than try to explain to customers why the vulnerable code is unreachable in their own product. -In those cases, we suggest the stakeholder reviews the decision outcomes of the tree to ensure the appropriate action is taken (paying attention to [_defer_](../../howto/supplier_tree.md) vs [_scheduled_](../../howto/supplier_tree.md), for example). +In those cases, we suggest the stakeholder reviews the decision outcomes of the tree to ensure the appropriate action is taken (paying attention to [*defer*](../../howto/supplier_tree.md) vs [*scheduled*](../../howto/supplier_tree.md), for example). If you have suggestions for further heuristics, or potential counterexamples to these, please describe the example and reasoning in an issue on the [SSVC GitHub](https://github.com/CERTCC/SSVC/issues). diff --git a/docs/reference/decision_points/technical_impact.md b/docs/reference/decision_points/technical_impact.md index 5fc482f1..4b1dcaf6 100644 --- a/docs/reference/decision_points/technical_impact.md +++ b/docs/reference/decision_points/technical_impact.md @@ -16,7 +16,6 @@ Our definition of **vulnerability** is based on the determination that some secu We consider a security policy violation to be a technical impact—or at least, a security policy violation must have some technical instantiation. Therefore, if there is a vulnerability then there must be some technical impact. - !!! tip "Gathering Information About Technical Impact" Assessing *Technical Impact* amounts to assessing the degree of control over the vulnerable component the attacker stands to gain by exploiting the vulnerability. @@ -33,4 +32,3 @@ Therefore, if there is a vulnerability then there must be some technical impact. If you find a vulnerability that should have *total* *Technical Impact* but that does not answer yes to any of these questions, please describe the example and what question we might add to this list in an issue on the [SSVC GitHub](https://github.com/CERTCC/SSVC/issues). - diff --git a/docs/reference/decision_points/utility.md b/docs/reference/decision_points/utility.md index 4779439f..1c465d41 100644 --- a/docs/reference/decision_points/utility.md +++ b/docs/reference/decision_points/utility.md @@ -12,7 +12,6 @@ print(example_block(LATEST)) Utility is a combination of [Automatable](./automatable.md) and [Value Density](./value_density.md) - This is a compound decision point, therefore it is a notational convenience. *Utility* estimates an adversary's benefit compared to their effort based on the assumption that they can exploit the vulnerability. @@ -30,7 +29,6 @@ This framing makes it easier to analytically derive these categories from a desc Roughly, *Utility* is a combination of two things: (1) the value of each exploitation event and (2) the ease and speed with which the adversary can cause exploitation events. We define *Utility* as laborious, efficient, or super effective, as described in the table above. - ## Alternative Utility Outputs Alternative heuristics can plausibly be used as proxies for adversary utility. @@ -45,8 +43,6 @@ Price does not only track the [*Value Density*](value_density.md) of the system, Currently, we simplify the analysis and ignore these factors. However, future work should look for and prevent large mismatches between the outputs of the *Utility* decision point and the exploit markets. - - ## Previous Versions ```python exec="true" idprefix="" @@ -62,4 +58,4 @@ for version in versions: !!! tip "See also" Utility v1.0.0 was a combination of [Virulence](./automatable.md) and - [Value Density](./value_density.md) \ No newline at end of file + [Value Density](./value_density.md) diff --git a/docs/reference/index.md b/docs/reference/index.md index af7ff33b..26a2efc0 100644 --- a/docs/reference/index.md +++ b/docs/reference/index.md @@ -11,19 +11,18 @@ In this section, we provide reference documentation for SSVC. We have organized the reference documentation into two main sections: -
-- :material-arrow-decision-outline: [**Decision Points**](decision_points/index.md) +- :material-arrow-decision-outline: [**Decision Points**](decision_points/index.md) --- - + A list of all the decision points, values, and versions. -- :material-language-python: [**Code Documentation**](code/index.md) - +- :material-language-python: [**Code Documentation**](code/index.md) + --- Documentation for the SSVC Python modules. -
\ No newline at end of file + diff --git a/docs/ssvc-calc/README.md b/docs/ssvc-calc/README.md index db57b28d..f4e9d740 100644 --- a/docs/ssvc-calc/README.md +++ b/docs/ssvc-calc/README.md @@ -1,20 +1,19 @@ -# Dryad +# Dryad + Stakeholder-Specific Vulnerability Categorization Calculator Dryad is a SSVC calculator app that guides you through the simple steps needed in making a vulnerability priority decision. The result of applying SSVC is a priority decision, providing you with a recommended action. See the demo in our [SSVC calc website](https://democert.org/ssvc/) -Some examples of actions are +Some examples of actions are defer, scheduled, out-of-cycle, and immediate. -* The top drop-down allows you to select from multiple decision trees that map to an appropriate Role in SSVC. -* To explore the decision tree, use the button "Show Full Tree" This will show all the branches, nodes and edges that make up the decision tree. A small zoom control horizontal range slider that can help with very large decision trees. -* A drop-down allows you to move from Graphic mode to Simple mode. -* There are also a number of sample CVE in a dropdown that will auto-select a number of steps in the decision tree -* Use the "Start Decision" to navigate the tree for assesing your prioritization for a vulnerability. -* You can also import custom decision trees and custom CVE samples for the current decision tree. -* There is a [data](../data/) folder where there is a number of examples both of schema and examples of exported outputs. -* You can install this directory as a folder in your public website directory. and expose it. All referenced url's are relative in the scripts and HTML files. - - +- The top drop-down allows you to select from multiple decision trees that map to an appropriate Role in SSVC. +- To explore the decision tree, use the button "Show Full Tree" This will show all the branches, nodes and edges that make up the decision tree. A small zoom control horizontal range slider that can help with very large decision trees. +- A drop-down allows you to move from Graphic mode to Simple mode. +- There are also a number of sample CVE in a dropdown that will auto-select a number of steps in the decision tree +- Use the "Start Decision" to navigate the tree for assesing your prioritization for a vulnerability. +- You can also import custom decision trees and custom CVE samples for the current decision tree. +- There is a [data](../data/) folder where there is a number of examples both of schema and examples of exported outputs. +- You can install this directory as a folder in your public website directory. and expose it. All referenced url's are relative in the scripts and HTML files. diff --git a/docs/ssvc-calc/index.md b/docs/ssvc-calc/index.md index 2152c657..7e9df37f 100644 --- a/docs/ssvc-calc/index.md +++ b/docs/ssvc-calc/index.md @@ -1,4 +1,5 @@ # SSVC Calculator + - + diff --git a/docs/topics/asset_management.md b/docs/topics/asset_management.md index a86cddaa..5e697623 100644 --- a/docs/topics/asset_management.md +++ b/docs/topics/asset_management.md @@ -37,4 +37,3 @@ If an organization does not have an asset management or risk management (see also [Gathering Information About Mission Impact](../reference/decision_points/mission_impact.md)) plan and process in place, then SSVC provides some guidance as to what information is important to vulnerability management decisions and the organization should start capturing, storing, and managing. - diff --git a/docs/topics/decision_points_as_bricks.md b/docs/topics/decision_points_as_bricks.md index c60bc044..47aafdea 100644 --- a/docs/topics/decision_points_as_bricks.md +++ b/docs/topics/decision_points_as_bricks.md @@ -1,8 +1,8 @@ # Putting the Pieces Together As we have continued to refine our concept of SSVC, we have an increasing understanding of the importance of -[_Decision Points_](../reference/decision_points/index.md) as the foundational blocks from which the rest of the -SSVC concept is built. A second, but less foundational, concept are the [_Outcomes_](../reference/code/outcomes.md) that +[*Decision Points*](../reference/decision_points/index.md) as the foundational blocks from which the rest of the +SSVC concept is built. A second, but less foundational, concept are the [*Outcomes*](../reference/code/outcomes.md) that provide a vocabulary to describe the results of a decision. ## Decision Points and Outcomes as Bricks @@ -14,13 +14,13 @@ Over time, we have come to think of decision points and outcomes as the LEGO® LEGO® is a trademark of the [LEGO](https://www.lego.com/) Group of companies which does not sponsor, authorize or endorse this site. LEGO® Bricks come in different shapes and sizes, and they can be combined in different ways to build different structures. -Similarly, decision points come in different shapes and sizes, and they can be combined in different ways to build +Similarly, decision points come in different shapes and sizes, and they can be combined in different ways to build different decision models. -And just as some bricks can be substituted for others to add variation, some decision points are substitutable for others. +And just as some bricks can be substituted for others to add variation, some decision points are substitutable for others. We have realized that part of the value of enumerated decision points is that they provide a way to organize the information that is relevant to a decision. This organization is important because it helps us to understand the decision and to communicate -the decision model to others. +the decision model to others. Decision points and outcomes have a few key characteristics that make them useful for organizing information: @@ -32,8 +32,8 @@ Decision points and outcomes have a few key characteristics that make them usefu - **Well-Definedness**: Each decision point has a clear meaning and a clear, ordered set of possible values. This means that the decision point values are not ambiguous or open to interpretation. -In our brick analogy, the toy bricks are similarly independent, discrete, and well-defined. -Independence means that different bricks can serve different purposes in the model. +In our brick analogy, the toy bricks are similarly independent, discrete, and well-defined. +Independence means that different bricks can serve different purposes in the model. The pips on the bricks provide discrete points of attachment to allow bricks to connect together. Well-definedness (specification and manufacturing consistency) allows bricks to be combined effectively. @@ -72,15 +72,15 @@ In that scenario, they might think of the kit more as a supply of specific brick Advanced builders need to understand more about what they are trying to build and how the bricks can be combined to build it. The point is that the model kits serve as a starting point with a lot of flexibility, but it is up to the builder -to decide how much of that flexibility to use. +to decide how much of that flexibility to use. ## SSVC Decision Models as Kits Similarly, SSVC provides a set of "bricks" in the form of [decision points](../reference/decision_points/index.md) -and [outcomes](../reference/code/outcomes.md). +and [outcomes](../reference/code/outcomes.md). We have provided a set of [example decision models](../howto/index.md) and [policies](../howto/index.md) to get you started. You might choose to simply use what we've provided as a starting point. -Or you might already recognize that our example gets the structure of the decision model right, +Or you might already recognize that our example gets the structure of the decision model right, but you need to adapt the outcomes or policy to better fit your situation. You might also recognize that you need to combine different example decision models to build the model you need. @@ -89,19 +89,18 @@ with the [deployer decision model](../howto/deployer_tree.md) to build a model that is relevant to your situation as both a supplier and a deployer. Or, perhaps you have a decision problem that we have not yet addressed with any of our examples. -In that case, you might examine the [decision points](../reference/decision_points/index.md) we've provided and +In that case, you might examine the [decision points](../reference/decision_points/index.md) we've provided and decide which ones are relevant to your situation. You could choose to customize a decision point to better fit your situation, or you might choose to add a new decision point to better suit your needs. -This is the embodiment of the _Stakeholder-Specific_ concept in [SSVC](../index.md): +This is the embodiment of the *Stakeholder-Specific* concept in [SSVC](../index.md): SSVC provides the components for you to build your own decision models, and we provide some examples to get you started. If the examples are sufficient for your needs, then you can simply use them as they are. -But we recognize that you are the expert in your own situation, and that you are in a better position than we are to +But we recognize that you are the expert in your own situation, and that you are in a better position than we are to decide how to combine the provided components to build the decision model you need. If you need to adapt the components we've provided, or if you need to add new components, then we encourage you to do so. And if you think that your adaptations or additions would be useful to others, then we encourage you to share your [suggestions](https://github.com/CERTCC/SSVC/issues), [ideas](https://github.com/CERTCC/SSVC/discussions), and [changes](https://github.com/CERTCC/SSVC/pulls) with the [community](https://github.com/CERTCC/SSVC). - diff --git a/docs/topics/decision_trees.md b/docs/topics/decision_trees.md index e6be7d96..8e03ce6c 100644 --- a/docs/topics/decision_trees.md +++ b/docs/topics/decision_trees.md @@ -24,9 +24,11 @@ Examples are located in [SSVC/data](https://github.com/CERTCC/SSVC/tree/main/dat An interoperable CSV format is also flexible enough to support a variety of uses. Every situation in SSVC is defined by the values for each decision point and the priority label (outcome) for that situation (as defined in [Likely Decision Points and Relevant Data](../reference/decision_points/index.md)). A CSV will typically be 30-100 rows that each look something like: + ``` 2,none,laborious,partial,significant,scheduled ``` + Where “2” is the row number, [*none*](../reference/decision_points/exploitation.md) through [*significant*](../reference/decision_points/public_safety_impact.md) are values for decision points, and *scheduled* is a priority label or outcome. Different stakeholders will have different decision points (and so different options for values) and different outcomes, but this is the basic shape of a CSV file to define SSVC stakeholder decisions. @@ -36,6 +38,7 @@ The tree visualization options are more diverse. We provide an example format, and codified it in [src/SSVC_csv-to-latex.py](https://github.com/CERTCC/SSVC/tree/main/src). Why have we gone to this trouble when (for example) the R data.tree package has a handy print-to-ASCII function? Because this function produces output like the following: + ``` 1 start 2 ¦--AV:N diff --git a/docs/topics/enumerating_decisions.md b/docs/topics/enumerating_decisions.md index 9ce6de99..3e228a97 100644 --- a/docs/topics/enumerating_decisions.md +++ b/docs/topics/enumerating_decisions.md @@ -12,8 +12,6 @@ Some decision makers may have different responsibilities in relation to differen - A web browser developer makes decisions about applying patches to DNS lookup libraries and transport layer security (TLS) libraries. - A video game developer makes decisions about applying patches released to the Unreal Engine. - A medical device developer makes decisions about applying patches to the Linux kernel. - - One might view applying patches as including some development and distribution of the updated product. Or one might take the converse view, that development includes updating libraries. @@ -33,7 +31,6 @@ SSVC models the decision of to be agnostic to whether or not a patch is available. If their decisions are explicit, then the decision makers can use the recommendations from this documentation that are relevant to them. - !!! tip "The Stakeholder Role / Decision Identity" As we have continued to develop SSVC and received feedback from SSVC implementers, we've found that similar @@ -57,7 +54,6 @@ If their decisions are explicit, then the decision makers can use the recommenda - [Coordinator deciding whether to coordinate a case](../howto/coordination_triage_decision.md) - [Coordinator deciding whether to publish about a case](../howto/publication_decision.md) - ## Enumerating Vulnerability Management Units of Work !!! example inline end "Stakeholder Units of Work" @@ -80,9 +76,9 @@ Coordinators might make triage decisions on individual reports, but then make pu ### Aggregation of SSVC Across Units of Work -SSVC users should answer the suggested questions for whatever discrete unit of work they are considering. -There is not necessarily a reliable function to aggregate a recommendation about remediation out of its constituent -vulnerabilities. +SSVC users should answer the suggested questions for whatever discrete unit of work they are considering. +There is not necessarily a reliable function to aggregate a recommendation about remediation out of its constituent +vulnerabilities. For the sake of simplicity of examples, we treat the remediation as a patch of one vulnerability, and comment on any difficulty in generalizing our advice to a more complex patch where appropriate. @@ -99,8 +95,6 @@ difficulty in generalizing our advice to a more complex patch where appropriate. Mitigating actions may include software configuration changes, adding firewall ACLs, or otherwise limiting the system's exposure to reduce the risk of the impact of the vulnerability; or accepting the risk. - - ## Enumerating Action Priority !!! example inline end "Decision Outcomes and Action Priority" @@ -120,10 +114,9 @@ lead to different priorities. For example, some suppliers might need to map their vulnerability response decisions onto a specific set of service level expectations (SLEs) set by their contractual obligations to their customers. Similarly, deployers might need to integrate -their decisions into a broader risk management framework or +their decisions into a broader risk management framework or [IT Service Management](https://en.wikipedia.org/wiki/IT_service_management) (ITSM) process. - !!! example "SSVC, Vulnerability Response, and Risk Management Processes" A few examples from the US Government of organizational process requirements that can affect the decision @@ -137,6 +130,3 @@ their decisions into a broader risk management framework or SSVC implementers in organizations subject to requirements like these may need to adapt their decision models to ensure that they are consistent with the requirements of the organization's broader risk management and ITSM processes. - - - diff --git a/docs/topics/enumerating_stakeholders.md b/docs/topics/enumerating_stakeholders.md index 91adc98f..e6e05a74 100644 --- a/docs/topics/enumerating_stakeholders.md +++ b/docs/topics/enumerating_stakeholders.md @@ -36,5 +36,3 @@ In [Enumerating Decisions](./enumerating_decisions.md), we describe the decision While C-level executives and public policy professionals often make, shape, or incentivize decisions about managing information systems, they are not the target audience, either. To the extent that decision trees for vulnerability management help higher level policy decisions, we believe the best way to help policy makers is by making technical decisions more transparent and explainable. Policy makers may see indirect benefits, but they are not our primary audience and we are not designing an approach for them directly. - - diff --git a/docs/topics/evaluation_of_draft_trees.md b/docs/topics/evaluation_of_draft_trees.md index d4ea0bc3..8de54a65 100644 --- a/docs/topics/evaluation_of_draft_trees.md +++ b/docs/topics/evaluation_of_draft_trees.md @@ -1,5 +1,4 @@ - # Evaluation of the Draft Trees We conducted a pilot test on the adequacy of the hypothesized decision trees. @@ -39,13 +38,13 @@ In some domains, namely exploit availability, we have started that work in paral The structure of the pilot test is as follows. The next table provides an example of the information provided to each analyst. The supplier portfolio details use ~~strikeout font~~ because this decision item was removed after the pilot. The decision procedure for each case is as follows: for each analyst, for each vulnerability, for each stakeholder group, do the following. -1. Start at the root node of the relevant decision tree (deployer or supplier). +1. Start at the root node of the relevant decision tree (deployer or supplier). -2. Document the decision branch that matches the vulnerability for this stakeholder context. +2. Document the decision branch that matches the vulnerability for this stakeholder context. -3. Document the evidence that supports that decision. +3. Document the evidence that supports that decision. -4. Repeat this decision-and-evidence process until the analyst reaches a leaf node in the tree. +4. Repeat this decision-and-evidence process until the analyst reaches a leaf node in the tree. Table: Example of Scenario Information Provided to Analysts (Using [CVE-2019-9042](https://nvd.nist.gov/vuln/detail/CVE-2019-9042) as the Example) @@ -130,7 +129,6 @@ This solution identifies another difficulty of Fleiss’ kappa, namely that it d Nonetheless, *k* provides some way to measure improvement on this a conceptual engineering task. The pilot evaluation can be repeated, with more diverse groups of stakeholders after the descriptions have been refined by stakeholder input, to measure fit to this goal. For a standard to be reliably applied across different analyst backgrounds, skill sets, and cultures, a set of decision point descriptions should ideally achieve *k* of 1 for each item in multiple studies with diverse participants. Such a high level of agreement would be difficult to achieve, but it would ensure that when two analysts assign a priority with the system that they get the same answer. Such agreement is not the norm with CVSS currently [@allodi2018effect]. - Table: SSVC pilot scores compared with the CVSS base scores for the vulnerabilities provided by NVD. | CVE-ID | Representative SSVC decision values | SSVC recommendation (supplier, deployer) | NVD’s CVSS base score | @@ -153,19 +151,19 @@ Based on these results, we made about ten changes, some bigger than others. We d The following changes were reflected in the version 1 Section "Decision Trees for Vulnerability Management." - - Technical impact: We clarified that partial/total is decided regarding the system scope definition, which considers a database or a web server program as the “whole” system. Furthermore, “total” also includes any technical impact that exposes authentication credentials to the adversary, if those credentials are to the whole system. +- Technical impact: We clarified that partial/total is decided regarding the system scope definition, which considers a database or a web server program as the “whole” system. Furthermore, “total” also includes any technical impact that exposes authentication credentials to the adversary, if those credentials are to the whole system. - - We added advice for information gathering to answer safety impact and mission impact questions. This change is needed because of the particularly wide variety of background assumptions analysts made that influenced results and agreement. +- We added advice for information gathering to answer safety impact and mission impact questions. This change is needed because of the particularly wide variety of background assumptions analysts made that influenced results and agreement. - - We clarified that “MEF failure” refers to any **one** essential function failing, not failure of all of them. We changed most severe mission impact to “mission failure” to better reflect the relationship between MEFs and the organization’s mission. +- We clarified that “MEF failure” refers to any **one** essential function failing, not failure of all of them. We changed most severe mission impact to “mission failure” to better reflect the relationship between MEFs and the organization’s mission. - - We removed the “supplier portfolio value” question since it had poor agreement, and there is no clear way to correct it. We replaced this question with *Utility*, which better captures the relevant kinds of value (namely, to the adversary) of the affected component while remaining amenable to pragmatic analysis. +- We removed the “supplier portfolio value” question since it had poor agreement, and there is no clear way to correct it. We replaced this question with *Utility*, which better captures the relevant kinds of value (namely, to the adversary) of the affected component while remaining amenable to pragmatic analysis. - - We clarified that “proof of concept” (see *Exploitation*) includes cases in which existing tooling counts as a PoC. The examples listed are suggestive, not exhaustive. +- We clarified that “proof of concept” (see *Exploitation*) includes cases in which existing tooling counts as a PoC. The examples listed are suggestive, not exhaustive. - - We reorganized the decision trees based on which items are easier to gather information for or which ones have a widely verifiable state. This change moved *exploitation* to the first question. +- We reorganized the decision trees based on which items are easier to gather information for or which ones have a widely verifiable state. This change moved *exploitation* to the first question. - - We changed the decision tree results such that if exposure is “small,” then the resulting priority is lower than before the pilot study. That is, “small” exposure has a stronger effect on reducing urgency. +- We changed the decision tree results such that if exposure is “small,” then the resulting priority is lower than before the pilot study. That is, “small” exposure has a stronger effect on reducing urgency. ### Questions Removed as Ineffective diff --git a/docs/topics/formalization_options.md b/docs/topics/formalization_options.md index b96676bb..75d8d14e 100644 --- a/docs/topics/formalization_options.md +++ b/docs/topics/formalization_options.md @@ -45,4 +45,3 @@ We use decision trees in the tradition of decision analysis, not ML. | *Other ML* | :x: | Maybe | :x: | :x: | :x: | :x: | | *Boolean First Order Logics* | Maybe | Maybe | :white_check_mark: | :white_check_mark: | :white_check_mark: | Maybe | | *Decision Trees* | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | - diff --git a/docs/topics/future_work.md b/docs/topics/future_work.md index 61588546..05d09574 100644 --- a/docs/topics/future_work.md +++ b/docs/topics/future_work.md @@ -2,7 +2,7 @@ We intend SSVC to offer a workable baseline from which to improve and refine a vulnerability-prioritization methodology. We are working to improve SSVC. -Several of the future work items in this section have issues associated with them on the SSVC GitHub page (https://github.com/CERTCC/SSVC/issues), which is a good place to go to check on progress or help. +Several of the future work items in this section have issues associated with them on the SSVC GitHub page (), which is a good place to go to check on progress or help. Plans for future work focus on further requirements gathering, analysis of types of risk, and further testing of the reliability of the decision process. ## Requirements Gathering via Sociological Research @@ -10,9 +10,9 @@ Plans for future work focus on further requirements gathering, analysis of types The community should know what users of a vulnerability prioritization system want. To explore their needs, it is important to understand how people actually use CVSS and what they think it tells them. In general, such empirical, grounded evidence about what practitioners and decision makers want from vulnerability scoring is lacking. -We have based SSVC’s methodology on multiple decades of professional experience and myriad informal conversations with practitioners. -Such evidence is not a bad place to start, but it does not lend itself to examination and validation by others. -The purpose of understanding practitioner expectations is to inform what a vulnerability-prioritization methodology should actually provide by matching it to what people need or expect. +We have based SSVC’s methodology on multiple decades of professional experience and myriad informal conversations with practitioners. +Such evidence is not a bad place to start, but it does not lend itself to examination and validation by others. +The purpose of understanding practitioner expectations is to inform what a vulnerability-prioritization methodology should actually provide by matching it to what people need or expect. The method this future work should take is long-form, structured interviews. We do not expect anyone to have access to enough consumers of CVSS to get statistically valid results out of a short survey, nor to pilot a long survey. @@ -43,7 +43,6 @@ The “credible effects” to consider are those of all vulnerabilities remediat How exactly to aggregate these different effects is not currently specified except to say that the unit of analysis is the whole work item. Future work should provide some examples of how this holistic analysis of multiple vulnerabilities remediated in one patch should be conducted. - ## Further Decision Tree Testing More testing with diverse analysts is necessary before the decision trees are reliable. In this context, **reliable** means that two analysts, given the same vulnerability description and decision process description, will reach the same decision. Such reliability is important if scores and priorities are going to be useful. If they are not reliable, they will vary widely over time and among analysts. Such variability makes it impossible to tell whether a difference in scores is really due to one vulnerability being higher priority than other. diff --git a/docs/topics/index.md b/docs/topics/index.md index eff8e9f3..d1e73a6d 100644 --- a/docs/topics/index.md +++ b/docs/topics/index.md @@ -11,7 +11,6 @@ [SSVC How-To](../howto/index.md) provides practical guidance for implementing SSVC in your organization. For technical reference, see [Reference](../reference/index.md). - This documentation defines a testable Stakeholder-Specific Vulnerability Categorization (SSVC) for prioritizing actions during vulnerability management. The stakeholders in vulnerability management are diverse. This diversity must be accommodated in the main functionality, rather than squeezed into hard-to-use optional features. @@ -23,7 +22,6 @@ As such, the modeling framework is important but difficult to pin down. We approach this problem as a satisficing process. We do not seek optimal formalisms, but an adequate formalism. - ## Key Concepts in SSVC Decision Models SSVC models individual vulnerability management decisions. It is built around the following concepts: @@ -34,14 +32,13 @@ SSVC models individual vulnerability management decisions. It is built around th are an ordered set of enumerated values. They are ordered because they are sortable in some dimension, usually having to do with priority or urgency. They are enumerated because they are finite and discrete. - **Outcomes** are the dependent variables that are relevant to the decision. Each outcome represents a different - possible result of the decision. -- **Outcome Values** are the possible values for an Outcome. Outcomes are similarly defined as an ordered set of + possible result of the decision. +- **Outcome Values** are the possible values for an Outcome. Outcomes are similarly defined as an ordered set of enumerated values, usually indicating a priority or urgency. - A **Policy** is a mapping from each combination of decision point values to the set of outcome values. - A **Decision Function** is a function that accepts a set of decision point values and returns an outcome value based on a policy. - ```mermaid --- title: Decision Points and Values @@ -69,7 +66,6 @@ flowchart LR Policy --> Outcomes ``` - !!! question "Where do the trees come in?" Our initial concept for SSVC's decision modeling was based on decision trees. @@ -89,7 +85,7 @@ flowchart LR convenient way to visualize the decision function, but they are not a requirement of the model. ## Topics Overview - + The remainder of this section is organized as follows:
diff --git a/docs/topics/information_sources.md b/docs/topics/information_sources.md index 2e080f6f..3ed11424 100644 --- a/docs/topics/information_sources.md +++ b/docs/topics/information_sources.md @@ -21,7 +21,6 @@ Although the lists are all different, we expect they are all valid information s We are not aware of a comparative study of the different lists of active exploits; however, we expect they have similar properties to block lists of network touchpoints [@metcalf2015blocklist] and malware [@kuhrer2014paint]. Namely, each list has a different view and vantage on the problem, which makes them appear to be different, but each list accurately represents its particular vantage at a point in time. - ## System Exposure [*System Exposure*](../reference/decision_points/system_exposure.md) could be informed by the various scanning platforms such as Shodan and Shadowserver. @@ -30,6 +29,7 @@ Such scans do not find all [*open*](../reference/decision_points/system_exposure Scanning software, such as the open-source tool Nessus, could be used to scan for connectivity inside an organization to catalogue what devices should be scored [*controlled*](../reference/decision_points/system_exposure.md) if, say, the scan finds them on an internal network where devices regularly connect to the Internet. --- + ## Adapting other Information Sources Some information sources that were not designed with SSVC in mind can be adapted to work with it. @@ -54,16 +54,16 @@ The interpretation is different for CVSS version 3 than version 4. That is, if the vulnerability leads to a high impact on the confidentiality and integrity of the vulnerable system, then that is equivalent to total technical impact on the system. -The following considerations are accounted for in this recommendation. +The following considerations are accounted for in this recommendation. 1. A denial of service condition is modeled as a *partial* [*Technical Impact*](../reference/decision_points/technical_impact.md). Therefore, a high availability impact to the vulnerable system should not be mapped to *total* [*Technical Impact*](../reference/decision_points/technical_impact.md) on its own. -2. There may be situations in which a high confidentiality impact is sufficient for total technical impact; for example, disclosure of the root or administrative password for the system leads to total technical control of the system. -So this suggested mapping is a useful heuristic, but there may be exceptions, depending on exactly what the CVSS v4 metric value assignment norms are and become for these situations. +2. There may be situations in which a high confidentiality impact is sufficient for total technical impact; for example, disclosure of the root or administrative password for the system leads to total technical control of the system. +So this suggested mapping is a useful heuristic, but there may be exceptions, depending on exactly what the CVSS v4 metric value assignment norms are and become for these situations. 3. While the Subsequent System impact metric group in CVSS v4 is useful, those concepts are not captured by [*Technical Impact*](../reference/decision_points/technical_impact.md). -Subsequent System impacts are captured, albeit in different framings, by decision points such as [*Situated Safety Impact*](../reference/decision_points/safety_impact.md), [*Mission Impact*](../reference/decision_points/mission_impact.md), and [*Value Density*](../reference/decision_points/value_density.md). -There is not a direct mapping between the subsequent system impact metric group and these decision points, except in the case of [*Public Safety Impact*](../reference/decision_points/public_safety_impact.md) and the CVSS v4 environmental metrics for Safety Impact in the subsequent system metric group. -In that case, both definitions map back to the same safety impact standard for definitions (IEC 61508) and so are easily mapped to each other. +Subsequent System impacts are captured, albeit in different framings, by decision points such as [*Situated Safety Impact*](../reference/decision_points/safety_impact.md), [*Mission Impact*](../reference/decision_points/mission_impact.md), and [*Value Density*](../reference/decision_points/value_density.md). +There is not a direct mapping between the subsequent system impact metric group and these decision points, except in the case of [*Public Safety Impact*](../reference/decision_points/public_safety_impact.md) and the CVSS v4 environmental metrics for Safety Impact in the subsequent system metric group. +In that case, both definitions map back to the same safety impact standard for definitions (IEC 61508) and so are easily mapped to each other. #### CVSS v3 and Technical Impact @@ -72,10 +72,10 @@ For CVSS v3, the impact metric group cannot be directly mapped to [*Technical Im If the CVSS version 3 value of “Scope” is “Unchanged,” then the recommendation is the same as that for CVSS v4, above, as the impact metric group is information exclusively about the vulnerable system. If the CVSS version 3 value of “Scope” is “Changed,” then the impact metrics may be about either the vulnerable system or the subsequent systems, based on whichever makes the final score higher. Since [*Technical Impact*](../reference/decision_points/technical_impact.md) is based only on the vulnerable system impacts, if "Scope" is "Changed" then the ambiguity between vulnerable and subsequent system impacts is not documented in the vector string. -This ambiguity makes it impossible to cleanly map the [*Technical Impact*](../reference/decision_points/technical_impact.md) value in this case. +This ambiguity makes it impossible to cleanly map the [*Technical Impact*](../reference/decision_points/technical_impact.md) value in this case. !!! tip "Mapping CVSS v3 to Technical Impact" - + Summarizing the discussion above, the mapping between CVSS v3 and [*Technical Impact*](../reference/decision_points/technical_impact.md) is | CVSS Scope | Confidentiality
(C) | Integrity
(I) | Availability
(A) | [*Technical Impact*](../reference/decision_points/technical_impact.md) | @@ -85,7 +85,6 @@ This ambiguity makes it impossible to cleanly map the [*Technical Impact*](../re | Unchanged | Low (L) or None (N) | High (H) | *any* | Partial | | Changed | *any* | *any* | *any* | (ambiguous) | - ### CWE and Exploitation As mentioned in the discussion of [*Exploitation*](../reference/decision_points/exploitation.md), [CWE](https://cwe.mitre.org/) could be used to inform one of the conditions that satisfy [*proof of concept*](../reference/decision_points/exploitation.md). diff --git a/docs/topics/items_with_same_priority.md b/docs/topics/items_with_same_priority.md index 87641842..e1b3f661 100644 --- a/docs/topics/items_with_same_priority.md +++ b/docs/topics/items_with_same_priority.md @@ -31,5 +31,3 @@ The priority is equivalent. fine-grained priorities within qualitative categories anyway. With our system, organizations can be more deliberate about conveniently organizing work that is of equivalent priority. - - diff --git a/docs/topics/limitations.md b/docs/topics/limitations.md index c6b365fd..2b2d0bf5 100644 --- a/docs/topics/limitations.md +++ b/docs/topics/limitations.md @@ -25,16 +25,16 @@ This is not a calculation of any kind, just an assignment of a label which may m Of course, these labels are dangerous, as they may be misused as numbers. Therefore, we prefer the use *defer*, *scheduled*, etc., as listed in [Enumerating Vulnerability Management Actions](../howto/deployer_tree.md). - + ## Expanded Context We incorporated a wider variety of inputs from contexts beyond the affected component. Some organizations are not prepared or configured to reliably produce such data (e.g., around mission impact or safety impact). There is adequate guidance for how to elicit and curate this type information from various risk management frameworks, including OCTAVE [@caralli2007octave]. Not every organization is going to have sufficiently mature risk management functions to apply SSVC.\ - + This second limitation should be approached with two strategies: 1. Organizations should be encouraged and enabled to mature their risk management capabilities -2. In the meantime, organizations such as NIST could consider developing default advice. +2. In the meantime, organizations such as NIST could consider developing default advice. The most practical framing of this approach might be for the NIST NVD to produce scores from the perspective of a - new stakeholder—something like “national security” or “public well-being” that is explicitly a sort of default + new stakeholder—something like “national security” or “public well-being” that is explicitly a sort of default advice for otherwise uninformed organizations that can then explicitly account for national priorities, such as critical infrastructure. diff --git a/docs/topics/related_systems.md b/docs/topics/related_systems.md index 4a4ed6ee..16c71596 100644 --- a/docs/topics/related_systems.md +++ b/docs/topics/related_systems.md @@ -107,7 +107,6 @@ CVSS is one-size-fits-all by design. These customization efforts struggle with adapting CVSS because it was not designed to be adaptable to different stakeholder considerations. The SSVC section [Tree Construction and Customization Guidance](../howto/tree_customization.md) explains how stakeholders or stakeholder communities can adapt SSVC in a reliable way that still promotes repeatability and communication. - ## vPrioritizer vPrioritizer is an open-source project that attempts to integrate asset management and vulnerablity prioritization. @@ -118,5 +117,3 @@ In that sense, it is compatible with any of methods mentioned above or SSVC. However, SSVC would be better suited to address vPrioritizer's broad spectrum asset management data. For example, vPrioritizer aims to collect data points on topics such as asset significance. Asset significance could be expressed through the SSVC decision points of [*Mission Impact*](../reference/decision_points/mission_impact.md) and situated [*Well-being Impact*](../reference/decision_points/human_impact.md), but it does not have a ready expression in CVSS, EPSS, or VPR. - - diff --git a/docs/topics/representing_information.md b/docs/topics/representing_information.md index 0d09753f..d5c6f471 100644 --- a/docs/topics/representing_information.md +++ b/docs/topics/representing_information.md @@ -1,7 +1,7 @@ # Representing Information for Decisions About Vulnerabilities We propose that decisions about vulnerabilities—rather than their severity—are a more useful approach. -Our design goals for the decision-making process are to +Our design goals for the decision-making process are to - clearly define whose decisions are involved - properly use evidentiary categories @@ -35,23 +35,22 @@ Therefore, under a Gaussian error distribution, 8.9 is really 60\% high and 40\% SSVC decisions should be distinct and crisp, without such statistical overlaps. We avoid numerical representations for either inputs or outputs of a vulnerability management decision process. -Quantified metrics are more useful when +Quantified metrics are more useful when -1. data for decision making is available, and +1. data for decision making is available, and 2. the stakeholders agree on how to measure. Vulnerability management does not yet meet either criterion. Furthermore, it is not clear to what extent measurements about a vulnerability can be informative about other vulnerabilities. Each vulnerability has a potentially unique relationship to the socio-technical system in which it exists, including the Internet. - ## Be Based on Reliably Available Evidence Vulnerability management decisions are often contextual: given what is known at the time, the decision is to do X. But what is known can change over time, which can and should influence the decision. The context of the vulnerability, and the systems it impacts, are inextricably linked to managing it. Some information about the context will be relatively static over time, such as the contribution of a system to an organization's mission. -Other information can change rapidly as events occur, such as the public release of an exploit or observation of attacks. +Other information can change rapidly as events occur, such as the public release of an exploit or observation of attacks. Temporal and environmental considerations should be primary, not optional as they are in CVSS. We discuss the temporal aspects further in [Information Changes over Time](../howto/bootstrap/use.md). @@ -65,9 +64,9 @@ Transparency should improve trust in the results. Finally, any result of a decision-making process should be **explainable** Explainable is defined and used with its common meaning, not as it is used in the research area of explainable artificial intelligence. An explanation should make the process intelligible to an interested, competent, non-expert person. -There are at least two reasons common explainability is important: +There are at least two reasons common explainability is important: -1. for troubleshooting and error correction and +1. for troubleshooting and error correction and 2. for justifying proposed decisions. ## Summary @@ -75,17 +74,16 @@ There are at least two reasons common explainability is important: To summarize, the following are our design goals for a vulnerability management process: - - Outputs are decisions. +- Outputs are decisions. - - Pluralistic recommendations are made among a manageable number of +- Pluralistic recommendations are made among a manageable number of stakeholder groups. - - Inputs are qualitative. +- Inputs are qualitative. - - Outputs are qualitative, and there are no (unjustified) shifts to +- Outputs are qualitative, and there are no (unjustified) shifts to quantitative calculations. - - Process justification is transparent. - - - Results are explainable. +- Process justification is transparent. +- Results are explainable. diff --git a/docs/topics/risk_tolerance_and_priority.md b/docs/topics/risk_tolerance_and_priority.md index 631be2dc..e738e411 100644 --- a/docs/topics/risk_tolerance_and_priority.md +++ b/docs/topics/risk_tolerance_and_priority.md @@ -21,11 +21,10 @@ A successful vulnerability management practice must balance at least two risks: problems that could arise from making changes to production systems. 2. **Vulnerability risk**: the potential costs of incidents resulting from exploitation of vulnerable systems - In developing the decision trees in this document, we had in mind stakeholders with a moderate tolerance for risk. The resulting trees reflect that assumption. Organizations may of course be more or less conservative in their own vulnerability management practices, and we cannot presume to determine how an organization should balance their risk. We therefore remind our readers that the labels on the trees (defer, immediate, etc.) can and should be customized to -suit the needs of individual stakeholders wherever necessary and appropriate. +suit the needs of individual stakeholders wherever necessary and appropriate. --- @@ -37,5 +36,3 @@ suit the needs of individual stakeholders wherever necessary and appropriate. the most urgent response. - On the other hand, an organization with a high aversion to vulnerability risk could elevate the priority of many branches to ensure fixes are deployed quickly. - - diff --git a/docs/topics/state_of_practice.md b/docs/topics/state_of_practice.md index e2009777..a9c0997e 100644 --- a/docs/topics/state_of_practice.md +++ b/docs/topics/state_of_practice.md @@ -1,5 +1,4 @@ - # Current state of practice **Vulnerability management** covers “the discovery, analysis, and handling of new or reported security vulnerabilities in information systems \[and\] the detection of and response to known vulnerabilities in order to prevent them from being exploited” [@csirtservices_v2]. diff --git a/docs/topics/vulnerability_management_decisions.md b/docs/topics/vulnerability_management_decisions.md index 9744d8fd..6edc2258 100644 --- a/docs/topics/vulnerability_management_decisions.md +++ b/docs/topics/vulnerability_management_decisions.md @@ -8,4 +8,3 @@ The “what” is about the scope, both in how the affected system is defined an While we strive to make our examples realistic, we invite the community to engage and conduct empirical assessments to test them. The following construction should be treated as an informed hypothesis rather than a conclusion. - diff --git a/docs/topics/worked_example.md b/docs/topics/worked_example.md index 21542a34..ba00739b 100644 --- a/docs/topics/worked_example.md +++ b/docs/topics/worked_example.md @@ -43,7 +43,7 @@ use its installation to remotely identify targets. However, since most of the hospital’s clients have not installed the app, and for nearly all cases, physical proximity to the device is necessary; therefore, we select [*small*](../reference/decision_points/system_exposure.md) and move on to ask about mission impact. -According to the fictional pilot scenario, +According to the fictional pilot scenario, > Our mission dictates that the first and foremost priority is to contribute to human welfare and to uphold the Hippocratic oath (do no harm). diff --git a/docs/tutorials/index.md b/docs/tutorials/index.md index ba3c6f09..802ff565 100644 --- a/docs/tutorials/index.md +++ b/docs/tutorials/index.md @@ -44,9 +44,6 @@ SSVC can be used in conjunction with other tools and methodologies to help prior This information can be used to inform the [Exploitation](../reference/decision_points/exploitation.md) decision point in the [Supplier](../howto/supplier_tree.md), [Deployer](../howto/deployer_tree.md), and [Coordinator Publication](../howto/publication_decision.md) decision models. - - - ## Videos Provided below are videos that provide an overview of SSVC and the implementation of decision models. @@ -71,6 +68,6 @@ We've collected a list of articles and blog posts that provide additional inform | SEI | [Prioritizing Vulnerability Response with a Stakeholder-Specific Vulnerability Categorization](https://insights.sei.cmu.edu/blog/prioritizing-vulnerability-response-with-a-stakeholder-specific-vulnerability-categorization/) | | CISA | [Stakeholder-Specific Vulnerability Categorization (SSVC)](https://www.cisa.gov/stakeholder-specific-vulnerability-categorization-ssvc) | | Qualys | [Effective Vulnerability Management with Stakeholder Specific Vulnerability Categorization (SSVC) and Qualys TruRisk](https://blog.qualys.com/product-tech/2022/11/30/effective-vulnerability-management-with-ssvc-and-qualys-trurisk) | -| Vulcan Cyber | [The SSVC risk prioritization method: what it is, when to use it, and alternatives](https://vulcan.io/blog/the-ssvc-risk-prioritization-method-what-it-is-when-to-use-it-and-alternatives/) | +| Vulcan Cyber | [The SSVC risk prioritization method: what it is, when to use it, and alternatives](https://vulcan.io/blog/the-ssvc-risk-prioritization-method-what-it-is-when-to-use-it-and-alternatives/) | -Have a link to something we missed? Let us know in an [issue](https://github.com/CERTCC/SSVC/issues/new). \ No newline at end of file +Have a link to something we missed? Let us know in an [issue](https://github.com/CERTCC/SSVC/issues/new). diff --git a/src/README.md b/src/README.md index 84b8f226..e90e39d1 100644 --- a/src/README.md +++ b/src/README.md @@ -7,13 +7,14 @@ This directory holds helper scripts that can make managing or using SSVC easier. This python script takes a CSV of the format in the `../data` directory and gets you (most of the way) to a pretty decision tree visualization. It creates a LaTeX file that can create a PDF (and from there, a PNG or whatever you want). `python SSVC_csv-to-latex.py --help` works and should explain all your options. -When the script finishes, it will also print a message with instructions for creating the PDF or PNG from the tex. A potential future improvement is to call `latexmk` directly from the python script. +When the script finishes, it will also print a message with instructions for creating the PDF or PNG from the tex. A potential future improvement is to call `latexmk` directly from the python script. Example usage: + ``` python SSVC_csv-to-latex.py --input=../data/ssvc_2_deployer_simplified.csv --output=tmp.tex --delim="," --columns="0,2,1" --label="3" --header-row --priorities="defer, scheduled, out-of-cycle, immediate" ``` Dependencies: LaTeX. -To install latex, see https://www.latex-project.org/get/ -`latexmk` is a helper script that is not included in all distributions by default; if you need it, see https://ctan.org/pkg/latexmk/?lang=en +To install latex, see +`latexmk` is a helper script that is not included in all distributions by default; if you need it, see