I've ranted on here about Quality a great deal - I'm finally going to post something that shows a little bit about how seriously we take quality here. But first, a bit of history...
This industry was started by a bunch of hackers and admins - as such, the science of vulnerability signature writing came from the science of exploit writing. You either started with an exploit, or you started with a banner. We came from there, too. Our company's founder won Capture the Flag at Defcon 2 years in a row. We were all about exploits and banners at the beginning.
And then, somewhere in early 2001, that all changed. We started thinking about detecting vulnerabilities as a science in itself. We created a decision-tree structure for detecting applications. We invested our brains heavily into "feature-based" and "behavior-based" application and service profiling.
And we stopped looking for exploits and banners. We committed to 100% non-invasiveness, and we started looking for detection signatures. It was often heard at the time: "Banner checks suck!" That's obvious, now, of course.
Of course, when you start doing that, the first question that comes up is: "how do I know that what I'm doing is better than banners and exploits?"
And one of our engineers (Minoo) came up with the concept of what we came to call "Signature Precision" - it's the idea of limiting how far away (by codepath and information reliability) a check is from the ideal.
We take great care to differentiate this metric from the concepts of accuracy and quality: they're different things. It is possible that a rather imprecise check can be quite accurate. Or that a very precise check can have false positives and false negatives.
But our research shows that, over the long term, the higher your precision, the more likely it is that your checks will be better.
As far as I know, we're the only one in vulnerability management who is willing to talk about quality - I'd love it if our competitors were willing to talk openly with us about this. It'd let us serve all of our customers better.
You can find the precision metric whitepaper attached here. Please give it a read, and let me know what you think.
Comments (2)
A long time ago, Scott Blake and I did a paper for the very first Blackhat on how vuln scanners work, "Towards a Taxonomy of Network Security Assessment Techniques." So long ago, actually, that I no longer have the source to make a nice PDF.
http://www.homeport.org/~adam/taxonomy.ps
Posted by Adam Shostack | May 10, 2005 8:05 PM
Posted on May 10, 2005 20:05
The whitepaper is a good read, and I must say that I am liking the topic of quality in regards to vulnerability/patch management data.
The one comment I have about the whitepaper is about immutability. What if the application/attribute you are interested in (say some aspect of IIS) is highly immutable in target app, but I could easily configure another app (say apache) to appear to be the target and contain that attribute. This would lead to a false positive.
Or do I have the concept wrong? (it is late afterall) That would mean that immutability would have to consider the entire class of application (i.e. web servers) rather than a specific app.
But I think that is overkill :) Besides, who would do that anyways other than a honeypot? And who in their right mind would say your rules are imprecise because they did not correctly identify a system that was modified to masquerade as another system.
Posted by Bryan Batchelder | May 10, 2005 9:38 PM
Posted on May 10, 2005 21:38