Jump to content

Talk:Vulnerability (computer security): Difference between revisions

Page contents not supported in other languages.
From Wikipedia, the free encyclopedia
Content deleted Content added
Brownh2o (talk | contribs)
No edit summary
 
m combine wikiproject tags
 
(33 intermediate revisions by 27 users not shown)
Line 1: Line 1:
{{talkheader}}
{{WikiProject banner shell|class=Start|
{{WikiProject Computing |importance=Mid |software=yes |software-importance=High |security=yes |security-importance=Top}}

}}
{{Broken anchors|links=
* <nowiki>[[Malware#Security defect|security defect]]</nowiki> The anchor (#Security defect) is no longer available because it was [[Special:Diff/1058239972|deleted by a user]] before. <!-- {"title":"Security defect","appear":{"revid":531441721,"parentid":531440402,"timestamp":"2013-01-05T12:50:54Z","removed_section_titles":[],"added_section_titles":["Security defect"]},"disappear":{"revid":1058239972,"parentid":1056765608,"timestamp":"2021-12-02T08:59:10Z","replaced_anchors":{"Antivirus and anti-malware software":"Antivirus / Anti-malware software"},"removed_section_titles":["Infectious malware","Concealment","Viruses","Trojan horses","Vulnerability","Security defect","Security defects in software","CITEREF2012","Insecure design or user error","Over-privileged users and over-privileged code","Anti-malware strategies","Antivirus and anti-malware software","Academic research","CITEREF2013"],"added_section_titles":["CITEREFCaniGaudesiSanchezSquillero2014","CITEREFBrewer2016","CITEREFKimBuCho2018","Types","Trojan horse","Infectious Malware","Worm","Virus","Ransomware","Potentially Unwanted Program (PUP)","Risks","Vulnerable software","CITEREFMoralesAl-BatainehXuSandhu2010","Excessive privilages","CITEREFFeltChinHannaSong2011","CITEREFWuLiu2019","CITEREFMutchAnderson2011","Weak passwords","CITEREFSinghPandey2021","CITEREFCohen2020","CITEREFWagnerŞahinWinterroseRiordan2016","CITEREFHembergZipkinSkowyraWagner2018","Mitigation","Antivirus / Anti-malware software","Real-time protection","CITEREFAl-SalehEspinozaCrandall2013","Sandboxing","Virus Removal"]}} -->
}}

== What is a vulnerability ==

I think this is a good idea -- the Software security vulnerability article can be used as part of the Vulnerability article.
I think this is a good idea -- the Software security vulnerability article can be used as part of the Vulnerability article.


I am curious, doesn't vulnerability need to say that its "vulnerable to" something? for example, we don't say that "New Orleans is vulnerable." We might say that "New Orleans has a high vulnerability to a Force 5 hurricane" but could we just say that the "New Orleans Levees have high vulnerabilities to hurricanes" I don't think so since they really were only vulnerable to level 5 and higher. There needs to be a force against. Or a Threat... in fact more specifically, there needs to be a specific amount of threat. Like FORCE 5 hurricanes. In computing, vendors have erroneously stated that a server has a high vulnerability... but often without regard to what amount threat. My server has almost no vulnerabilities if my threat agent is a four-year-old girl. But a skilled, malicious hacker sponsored by a terrorist state might make Swiss cheese of my server.
Did my vulnerability just change based on the threat agent's capabilities? I think it did. Maybe we should consider adding something that states that vendors of security products typically over-generalize the acting threat agents... or do they even consider them? -- Anonymous

There are computer vulnerabilities, network vulnerabilities, application vulnerabilities ... each layer of the network stack is subject to attacks based on the properties of that layer. Like saying New Orleans is vulnerable to weather, famine, disease ... [[User:Tanjstaffl|Tanjstaffl]]<small>([[User talk:Tanjstaffl|talk]])</small> 00:26, 19 April 2007 (UTC)

: The first paragraph has at least, two problems that persist.
:: The definition of "Vulnerability" is incorrect. What is offered as such, accurately identifies the requirements for breach.
:: "Information Assurance" should be replaced with "trust" -- as in, a person's emotional feeling of trust. "Information Assurance" is specific I think, to DOD/military while "InfoSec" is used in a civilian/non-mil context. Each is a topic, much like "History" or "Social Studies". The objective for each, differs. In a mil context, the objective is mission security whereas in the civilian context, the focus is on loss of life. Life isn't valued differently but statistics used to assess risk treat loss of life as Integer data rather than as Binary Categorical data.

[[User:Kernel.package|Kernel.package]] ([[User talk:Kernel.package|talk]]) 21:30, 27 December 2010 (UTC)

Vulnerability to poverty is a measure which describes the greater probability to certain communities or individuals of becoming poor or remaining poor in the coming years [[User:Edwin saji 83|Edwin saji 83]] ([[User talk:Edwin saji 83|talk]]) 23:49, 5 December 2018 (UTC)

Vulnerability is determined by the options available to different communities for finding an alternative living in terms of assets, education, health and job opportunities [[User:Edwin saji 83|Edwin saji 83]] ([[User talk:Edwin saji 83|talk]]) 23:57, 5 December 2018 (UTC)

==Disclosure ==
I think the section on full disclosure starts out good, showing a balanced view of the topic, but then takes a biased point of view, I myself am generally considered an expert in the security arena that the public listens to and I don't fully agree with full disclosure, its a complicated issue, it should be discussed by all means but the sentence that reads "From the security perspective, only a free and public disclosure can ensure that all interested parties get the relevant information. Security through obscurity is a concept that most experts consider unreliable." onward takes a biased view point on the issue, there are pros and cons to both sides and wikipedia shouldnt be taking sides on this or any contravercial issue --[[User:Abaddon314159|Michael Lynn]] 23:39, 20 March 2007 (UTC)

:I agree. Disclosure methods are controversial, prone to bias viewpoints and will proably stay that way for the foreseeable future. I moved that section from its original place in the article (where it didnt belong at all imo) and made a minor change to reduce some of the bias but I think it needs to be completely reworked. What might work is to have a para on different methods of disclosure (i.e. full disclosure, "responsible disclosure", "pre disclosure etc)"). Even then that can be tricky to write without bias (ex: what is "responsible disclosure"). [[User:Dman727|Dman727]] 03:05, 21 March 2007 (UTC)

==advertising==
it bugs me to see so many links to commercial products here, its not representative of the whole market and even if it was, this is not an advertising venue, its an encyclopedia, can we clean up that garbage? --[[User:Abaddon314159|Michael Lynn]] 22:14, 13 April 2007 (UTC)

== The first paragraph ==

The first paragraph seems to have been plagiarized from http://www.techcert.lk/index.php?option=com_content&task=view&id=5&Itemid=33 so I have removed it. --[[User:Waldo|Waldo]] ([[User talk:Waldo|talk]])

== A construct in a computer language is said to be a vulnerability when many program faults can have their root cause traced to its use. ==

I removed this; it was reverted. Fair enough. But I hope that a good reference will be added soon, or I'll remove it again.

Memory allocation bugs are a big source of vulnerabilities. But who calls memory allocation a vulnerability? Likewise, people screw up all the time with pointers. But I've never heard the pointers themselves called "a vulnerability." A potential ''source'' of vulnerabilities, sure.

Now, it's entirely possible that during my existence I've just completely missed this use of terminology. If it is in fact used in practice, please add a reliable reference. Thanks, [[User:WalterGR|WalterGR]] ([[User talk:WalterGR|talk]] | [[Special:Contributions/WalterGR|contributions]]) 01:18, 18 March 2008 (UTC)

:Good point. Perhaps the appropriate term to use is ''source of vulnerabilities'', or ''common source of vulnerabilities''. One reference is [http://www.aitcnet.org/isai/ this work]. [[User:Derek farn|Derek farn]] ([[User talk:Derek farn|talk]]) 02:11, 18 March 2008 (UTC)

==Tags==
This article has been tagged for a long time. Are there still active disputes? If so, let's address them. If not, or no one cares, let's delete any problematic sections of the article, and remove the tags. --[[User:Elonka|El]][[User talk:Elonka|on]][[Special:Contributions/Elonka|ka]] 04:39, 3 August 2008 (UTC)

== Vulnerability windows and definitions ==

See my comments on [[Talk:Zero-day attack#Vulnerability windows and definitions|Talk:Zero-day attack]] --[[User:AlastairIrvine|AlastairIrvine]] ([[User talk:AlastairIrvine|talk]]) 17:58, 10 April 2014 (UTC)

== Examples ==
Peripheral devices vulnerabilities are well known threat for number of years , articles published by number of Universities , Forbes , Checkmarx , Mashable , Android Authority and dozens of other sites.

== External links modified ==

Hello fellow Wikipedians,

I have just added archive links to {{plural:2|one external link|2 external links}} on [[Vulnerability (computing)]]. Please take a moment to review [https://en.wikipedia.org/enwiki/w/index.php?diff=prev&oldid=698959947 my edit]. If necessary, add {{tlx|cbignore}} after the link to keep me from modifying it. Alternatively, you can add {{tlx|nobots|deny{{=}}InternetArchiveBot}} to keep me off the page altogether. I made the following changes:
*Added archive https://web.archive.org/20100705110913/http://www.isaca.org:80/Knowledge-Center/Research/Documents/RiskIT-FW-18Nov09-Research.pdf to http://www.isaca.org/Knowledge-Center/Research/Documents/RiskIT-FW-18Nov09-Research.pdf
*Added archive https://web.archive.org/20071021201149/http://blog.mozilla.com:80/rob-sayre/2007/09/28/blaming-the-victim/ to http://blog.mozilla.com/rob-sayre/2007/09/28/blaming-the-victim/

When you have finished reviewing my changes, please set the ''checked'' parameter below to '''true''' to let others know.

{{sourcecheck|checked=false}}

Cheers.—[[User:Cyberbot II|<sup style="color:green;font-family:Courier">cyberbot II</sup>]]<small><sub style="margin-left:-14.9ex;color:green;font-family:Comic Sans MS">[[User talk:Cyberbot II|<span style="color:green">Talk to my owner</span>]]:Online</sub></small> 09:35, 9 January 2016 (UTC)

== External links modified ==

Hello fellow Wikipedians,

I have just modified one external link on [[Vulnerability (computing)]]. Please take a moment to review [[special:diff/816910888|my edit]]. If you have any questions, or need the bot to ignore the links, or the page altogether, please visit [[User:Cyberpower678/FaQs#InternetArchiveBot|this simple FaQ]] for additional information. I made the following changes:
*Added archive https://web.archive.org/web/20141118061526/http://www.riskmanagementinsight.com/media/docs/FAIR_introduction.pdf to http://www.riskmanagementinsight.com/media/docs/FAIR_introduction.pdf

When you have finished reviewing my changes, you may follow the instructions on the template below to fix any issues with the URLs.

{{sourcecheck|checked=false|needhelp=}}

Cheers.—[[User:InternetArchiveBot|'''<span style="color:darkgrey;font-family:monospace">InternetArchiveBot</span>''']] <span style="color:green;font-family:Rockwell">([[User talk:InternetArchiveBot|Report bug]])</span> 16:19, 24 December 2017 (UTC)

== Error in definition ==

The sentence "Vulnerabilities are the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw" was simply wrong. Removed. All definitions provided in this article are correct, while the sentence is correct for a (security) breach, not for a vulnerability. There is already the same comment here in the talk page.[[User:Truman Burbank|Truman]] ([[User talk:Truman Burbank|talk]]) 13:54, 10 May 2018 (UTC)

==Edit request==
{{Edit COI|answered=yes}}
Please replace the content of the article with [[User:Buidhe paid/Vulnerability (computing)]]. Reason: Improve content + sourcing, add new sections on such topics as vulnerability management, lifecycle, assessment, and legal issues. Thanks! [[User:Buidhe paid|Buidhe paid]] ([[User talk:Buidhe paid|talk]]) 23:56, 3 May 2024 (UTC)
:{{Respond|greencheck2|Done}} <!-- Template:ECOI --> v/r - <span style="font-family:Papyrus; color:#800080;">[[User:Seawolf35|Seawolf35]]</span> <sup style="font-family: Times New Roman; color: #006400;">[[User talk:Seawolf35|'''''T''''']]--[[Special:Contributions/Seawolf35|'''''C''''']]</sup> 13:23, 9 May 2024 (UTC)

== Wiki99 summary ==

Summary of changes as a result of the Wiki99 project ([https://en.wikipedia.org/enwiki/w/index.php?title=Vulnerability_(computing)&oldid=1219574430 before], [https://en.wikipedia.org/enwiki/w/index.php?title=Vulnerability_(computing)&oldid=1223078225 after], [https://en.wikipedia.org/enwiki/w/index.php?title=Vulnerability_%28computing%29&diff=1223078225&oldid=1219574430 diff]):

*Complete rewrite according to recent, reliable sources
*Fix unsourced content issues
*Add sections about vulnerability management, lifecycle, assessment, and legal issues
*Include content about how open source software relates to vulnerabilities
Future steps for other editors to consider:

*Improve the coverage to be even more comprehensive
*Update the article in response to future developments
[[User:Buidhe paid|Buidhe paid]] ([[User talk:Buidhe paid|talk]]) 19:33, 10 May 2024 (UTC)

Latest revision as of 08:34, 17 July 2024

What is a vulnerability

[edit]

I think this is a good idea -- the Software security vulnerability article can be used as part of the Vulnerability article.


I am curious, doesn't vulnerability need to say that its "vulnerable to" something? for example, we don't say that "New Orleans is vulnerable." We might say that "New Orleans has a high vulnerability to a Force 5 hurricane" but could we just say that the "New Orleans Levees have high vulnerabilities to hurricanes" I don't think so since they really were only vulnerable to level 5 and higher. There needs to be a force against. Or a Threat... in fact more specifically, there needs to be a specific amount of threat. Like FORCE 5 hurricanes. In computing, vendors have erroneously stated that a server has a high vulnerability... but often without regard to what amount threat. My server has almost no vulnerabilities if my threat agent is a four-year-old girl. But a skilled, malicious hacker sponsored by a terrorist state might make Swiss cheese of my server. Did my vulnerability just change based on the threat agent's capabilities? I think it did. Maybe we should consider adding something that states that vendors of security products typically over-generalize the acting threat agents... or do they even consider them? -- Anonymous

There are computer vulnerabilities, network vulnerabilities, application vulnerabilities ... each layer of the network stack is subject to attacks based on the properties of that layer. Like saying New Orleans is vulnerable to weather, famine, disease ... Tanjstaffl(talk) 00:26, 19 April 2007 (UTC)[reply]

The first paragraph has at least, two problems that persist.
The definition of "Vulnerability" is incorrect. What is offered as such, accurately identifies the requirements for breach.
"Information Assurance" should be replaced with "trust" -- as in, a person's emotional feeling of trust. "Information Assurance" is specific I think, to DOD/military while "InfoSec" is used in a civilian/non-mil context. Each is a topic, much like "History" or "Social Studies". The objective for each, differs. In a mil context, the objective is mission security whereas in the civilian context, the focus is on loss of life. Life isn't valued differently but statistics used to assess risk treat loss of life as Integer data rather than as Binary Categorical data.

Kernel.package (talk) 21:30, 27 December 2010 (UTC)[reply]

Vulnerability to poverty is a measure which describes the greater probability to certain communities or individuals of becoming poor or remaining poor in the coming years Edwin saji 83 (talk) 23:49, 5 December 2018 (UTC)[reply]

Vulnerability is determined by the options available to different communities for finding an alternative living in terms of assets, education, health and job opportunities Edwin saji 83 (talk) 23:57, 5 December 2018 (UTC)[reply]

Disclosure

[edit]

I think the section on full disclosure starts out good, showing a balanced view of the topic, but then takes a biased point of view, I myself am generally considered an expert in the security arena that the public listens to and I don't fully agree with full disclosure, its a complicated issue, it should be discussed by all means but the sentence that reads "From the security perspective, only a free and public disclosure can ensure that all interested parties get the relevant information. Security through obscurity is a concept that most experts consider unreliable." onward takes a biased view point on the issue, there are pros and cons to both sides and wikipedia shouldnt be taking sides on this or any contravercial issue --Michael Lynn 23:39, 20 March 2007 (UTC)[reply]

I agree. Disclosure methods are controversial, prone to bias viewpoints and will proably stay that way for the foreseeable future. I moved that section from its original place in the article (where it didnt belong at all imo) and made a minor change to reduce some of the bias but I think it needs to be completely reworked. What might work is to have a para on different methods of disclosure (i.e. full disclosure, "responsible disclosure", "pre disclosure etc)"). Even then that can be tricky to write without bias (ex: what is "responsible disclosure"). Dman727 03:05, 21 March 2007 (UTC)[reply]

advertising

[edit]

it bugs me to see so many links to commercial products here, its not representative of the whole market and even if it was, this is not an advertising venue, its an encyclopedia, can we clean up that garbage? --Michael Lynn 22:14, 13 April 2007 (UTC)[reply]

The first paragraph

[edit]

The first paragraph seems to have been plagiarized from http://www.techcert.lk/index.php?option=com_content&task=view&id=5&Itemid=33 so I have removed it. --Waldo (talk)

A construct in a computer language is said to be a vulnerability when many program faults can have their root cause traced to its use.

[edit]

I removed this; it was reverted. Fair enough. But I hope that a good reference will be added soon, or I'll remove it again.

Memory allocation bugs are a big source of vulnerabilities. But who calls memory allocation a vulnerability? Likewise, people screw up all the time with pointers. But I've never heard the pointers themselves called "a vulnerability." A potential source of vulnerabilities, sure.

Now, it's entirely possible that during my existence I've just completely missed this use of terminology. If it is in fact used in practice, please add a reliable reference. Thanks, WalterGR (talk | contributions) 01:18, 18 March 2008 (UTC)[reply]

Good point. Perhaps the appropriate term to use is source of vulnerabilities, or common source of vulnerabilities. One reference is this work. Derek farn (talk) 02:11, 18 March 2008 (UTC)[reply]

Tags

[edit]

This article has been tagged for a long time. Are there still active disputes? If so, let's address them. If not, or no one cares, let's delete any problematic sections of the article, and remove the tags. --Elonka 04:39, 3 August 2008 (UTC)[reply]

Vulnerability windows and definitions

[edit]

See my comments on Talk:Zero-day attack --AlastairIrvine (talk) 17:58, 10 April 2014 (UTC)[reply]

Examples

[edit]

Peripheral devices vulnerabilities are well known threat for number of years , articles published by number of Universities , Forbes , Checkmarx , Mashable , Android Authority and dozens of other sites.

[edit]

Hello fellow Wikipedians,

I have just added archive links to 2 external links on Vulnerability (computing). Please take a moment to review my edit. If necessary, add {{cbignore}} after the link to keep me from modifying it. Alternatively, you can add {{nobots|deny=InternetArchiveBot}} to keep me off the page altogether. I made the following changes:

When you have finished reviewing my changes, please set the checked parameter below to true to let others know.

This message was posted before February 2018. After February 2018, "External links modified" talk page sections are no longer generated or monitored by InternetArchiveBot. No special action is required regarding these talk page notices, other than regular verification using the archive tool instructions below. Editors have permission to delete these "External links modified" talk page sections if they want to de-clutter talk pages, but see the RfC before doing mass systematic removals. This message is updated dynamically through the template {{source check}} (last update: 5 June 2024).

  • If you have discovered URLs which were erroneously considered dead by the bot, you can report them with this tool.
  • If you found an error with any archives or the URLs themselves, you can fix them with this tool.

Cheers.—cyberbot IITalk to my owner:Online 09:35, 9 January 2016 (UTC)[reply]

[edit]

Hello fellow Wikipedians,

I have just modified one external link on Vulnerability (computing). Please take a moment to review my edit. If you have any questions, or need the bot to ignore the links, or the page altogether, please visit this simple FaQ for additional information. I made the following changes:

When you have finished reviewing my changes, you may follow the instructions on the template below to fix any issues with the URLs.

This message was posted before February 2018. After February 2018, "External links modified" talk page sections are no longer generated or monitored by InternetArchiveBot. No special action is required regarding these talk page notices, other than regular verification using the archive tool instructions below. Editors have permission to delete these "External links modified" talk page sections if they want to de-clutter talk pages, but see the RfC before doing mass systematic removals. This message is updated dynamically through the template {{source check}} (last update: 5 June 2024).

  • If you have discovered URLs which were erroneously considered dead by the bot, you can report them with this tool.
  • If you found an error with any archives or the URLs themselves, you can fix them with this tool.

Cheers.—InternetArchiveBot (Report bug) 16:19, 24 December 2017 (UTC)[reply]

Error in definition

[edit]

The sentence "Vulnerabilities are the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw" was simply wrong. Removed. All definitions provided in this article are correct, while the sentence is correct for a (security) breach, not for a vulnerability. There is already the same comment here in the talk page.Truman (talk) 13:54, 10 May 2018 (UTC)[reply]

Edit request

[edit]

Please replace the content of the article with User:Buidhe paid/Vulnerability (computing). Reason: Improve content + sourcing, add new sections on such topics as vulnerability management, lifecycle, assessment, and legal issues. Thanks! Buidhe paid (talk) 23:56, 3 May 2024 (UTC)[reply]

 Done v/r - Seawolf35 T--C 13:23, 9 May 2024 (UTC)[reply]

Wiki99 summary

[edit]

Summary of changes as a result of the Wiki99 project (before, after, diff):

  • Complete rewrite according to recent, reliable sources
  • Fix unsourced content issues
  • Add sections about vulnerability management, lifecycle, assessment, and legal issues
  • Include content about how open source software relates to vulnerabilities

Future steps for other editors to consider:

  • Improve the coverage to be even more comprehensive
  • Update the article in response to future developments

Buidhe paid (talk) 19:33, 10 May 2024 (UTC)[reply]