Thanks for playing along! By now, you’ve probably seen that the winner of our tournament is Shellshock. I long felt that this was the expected winner of Patch Insanity given the competition and I wasn’t expecting any major upsets, but there were definitely one or two. The big one that came to mind for some of us was GHOST defeating EternalBlue. There were members of Tripwire VERT who expected the opposite result when they looked at the vulnerabilities and their real world application. This is one of the key aspects of an objective scoring system – knowing that not everyone will agree and that there is room for debate demonstrates that the objectivity is working.
While the seeding was done using CVSSv2 base scores, which we know aren’t perfect, the winner’s scores were calculated using Tripwire’s IP360 Vulnerability Scoring System. Our scoring system is designed to have real world value and allow for accurate prioritization of vulnerabilities. This is why vulnerabilities that were closely matched in their initial seeding were blown out of the water when they came head to head.
In the division semi-finals, we saw SambaCry come up against EternalBlue. The initial seeding put SambaCry as the winner (CVSSv2 10.0 vs 9.3), but when you looked at the Tripwire IP360 scoring, EternalBlue eked out a win (19426 vs 18455). In another division, it looked like a close match up for the divisional final with Drupalgeddon vs Dirty COW (CVSSv2 7.5 vs 7.2), but the scores weren’t even close under our system (28880 vs 59).
While there are strengths and weaknesses to the various methods of prioritization available, there is value in real world application. That’s why we thought that seeding with one scoring system and determining winners with another would be a fun way (Read more...)
*** This is a Security Bloggers Network syndicated blog from The State of Security authored by Tyler Reguly. Read the original post at: https://www.tripwire.com/state-of-security/vert/tripwire-patch-insanity-results/