Jump to content

Talk:Vulnerability (computer security)

Page contents not supported in other languages.
From Wikipedia, the free encyclopedia

This is an old revision of this page, as edited by Pnm (talk | contribs) at 02:18, 25 December 2010 (Fix Computing importance conflict). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

WikiProject iconComputing Start‑class Top‑importance
WikiProject iconThis article is within the scope of WikiProject Computing, a collaborative effort to improve the coverage of computers, computing, and information technology on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.
StartThis article has been rated as Start-class on Wikipedia's content assessment scale.
TopThis article has been rated as Top-importance on the project's importance scale.
WikiProject iconComputer Security: Computing Start‑class Top‑importance
WikiProject iconThis article is within the scope of WikiProject Computer Security, a collaborative effort to improve the coverage of computer security on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.
StartThis article has been rated as Start-class on Wikipedia's content assessment scale.
TopThis article has been rated as Top-importance on the project's importance scale.
Taskforce icon
This article is supported by WikiProject Computing (assessed as Top-importance).
Things you can help WikiProject Computer Security with:
Article alerts will be generated shortly by AAlertBot. Please allow some days for processing. More information...
  • Review importance and quality of existing articles
  • Identify categories related to Computer Security
  • Tag related articles
  • Identify articles for creation (see also: Article requests)
  • Identify articles for improvement
  • Create the Project Navigation Box including lists of adopted articles, requested articles, reviewed articles, etc.
  • Find editors who have shown interest in this subject and ask them to take a look here.

What is a vulnerability

I think this is a good idea -- the Software security vulnerability article can be used as part of the Vulnerability article.


I am curious, doesn't vulnerability need to say that its "vulnerable to" something? for example, we don't say that "New Orleans is vulnerable." We might say that "New Orleans has a high vulnerability to a Force 5 hurricane" but could we just say that the "New Orleans Levees have high vulnerabilities to hurricanes" I don't think so since they really were only vulnerable to level 5 and higher. There needs to be a force against. Or a Threat... in fact more specifically, there needs to be a specific amount of threat. Like FORCE 5 hurricanes. In computing, vendors have erroneously stated that a server has a high vulnerability... but often without regard to what amount threat. My server has almost no vulnerabilities if my threat agent is a four-year-old girl. But a skilled, malicious hacker sponsored by a terrorist state might make Swiss cheese of my server. Did my vulnerability just change based on the threat agent's capabilities? I think it did. Maybe we should consider adding something that states that vendors of security products typically over-generalize the acting threat agents... or do they even consider them? -- Anonymous

There are computer vulnerabilities, network vulnerabilities, application vulnerabilities ... each layer of the network stack is subject to attacks based on the properties of that layer. Like saying New Orleans is vulnerable to weather, famine, disease ... Tanjstaffl(talk) 00:26, 19 April 2007 (UTC)[reply]

Disclosure

I think the section on full disclosure starts out good, showing a balanced view of the topic, but then takes a biased point of view, I myself am generally considered an expert in the security arena that the public listens to and I don't fully agree with full disclosure, its a complicated issue, it should be discussed by all means but the sentence that reads "From the security perspective, only a free and public disclosure can ensure that all interested parties get the relevant information. Security through obscurity is a concept that most experts consider unreliable." onward takes a biased view point on the issue, there are pros and cons to both sides and wikipedia shouldnt be taking sides on this or any contravercial issue --Michael Lynn 23:39, 20 March 2007 (UTC)[reply]

I agree. Disclosure methods are controversial, prone to bias viewpoints and will proably stay that way for the foreseeable future. I moved that section from its original place in the article (where it didnt belong at all imo) and made a minor change to reduce some of the bias but I think it needs to be completely reworked. What might work is to have a para on different methods of disclosure (i.e. full disclosure, "responsible disclosure", "pre disclosure etc)"). Even then that can be tricky to write without bias (ex: what is "responsible disclosure"). Dman727 03:05, 21 March 2007 (UTC)[reply]

advertising

it bugs me to see so many links to commercial products here, its not representative of the whole market and even if it was, this is not an advertising venue, its an encyclopedia, can we clean up that garbage? --Michael Lynn 22:14, 13 April 2007 (UTC)[reply]

The first paragraph

The first paragraph seems to have been plagiarized from http://www.techcert.lk/index.php?option=com_content&task=view&id=5&Itemid=33 so I have removed it. --Waldo (talk)

A construct in a computer language is said to be a vulnerability when many program faults can have their root cause traced to its use.

I removed this; it was reverted. Fair enough. But I hope that a good reference will be added soon, or I'll remove it again.

Memory allocation bugs are a big source of vulnerabilities. But who calls memory allocation a vulnerability? Likewise, people screw up all the time with pointers. But I've never heard the pointers themselves called "a vulnerability." A potential source of vulnerabilities, sure.

Now, it's entirely possible that during my existence I've just completely missed this use of terminology. If it is in fact used in practice, please add a reliable reference. Thanks, WalterGR (talk | contributions) 01:18, 18 March 2008 (UTC)[reply]

Good point. Perhaps the appropriate term to use is source of vulnerabilities, or common source of vulnerabilities. One reference is this work. Derek farn (talk) 02:11, 18 March 2008 (UTC)[reply]

Tags

This article has been tagged for a long time. Are there still active disputes? If so, let's address them. If not, or no one cares, let's delete any problematic sections of the article, and remove the tags. --Elonka 04:39, 3 August 2008 (UTC)[reply]