• 0 Posts
  • 43 Comments
Joined 1 year ago
cake
Cake day: June 2nd, 2023

help-circle

  • SpacePirate@lemmy.mltoTechnology@lemmy.worldExecutive Director Of WordPress Resigns.
    link
    fedilink
    English
    arrow-up
    123
    arrow-down
    4
    ·
    edit-2
    2 days ago

    TL;DR: Cofounder of open source project says super popular platform using their project needs to pay up for inane reasons. Chaos ensues.

    In summary:

    WP Engine is one of the most popular third party platforms built on top of WordPress.

    They have a link and images on their webpage referencing that they are built on top of Wordpress (this is legal).

    The former cofounder of Wordpress said that they are illegally using the Wordpress trademark.

    WP Engine sends Cease and Desist.

    WordPress Cofounder doubles down, blocks WP Engine and demanded WP Engine pay licensing fees for using their branding.

    This pissed off a lot of people.

    WP Engine sues. For a lot, including extortion, abuse of power, and asserts the cofounder of WordPress has criminally made false statements to the IRS.

    The Executive Director for Wordpress resigns, presumably in solidarity with WP Engine and the community.
















    1. From the title of your article and your executive summary, the premise of your paper is that CVSS is flawed, and CITE is your solution.
    2. From the title of your article, and choice of name, “QHE CVSS Alternative; CITE”. CVSS is a VULNERABILITY Scoring System. CITE, as your propose, is a THREAT evaluation tool. You can see how one could have the impression that they were incorrectly being used interchangeably.

    As you yourself stated, CVSS does exactly what it says on the box. It provides a singular rating for a software vulnerability, in a vacuum. It does not prescribe to do anything more, and it does a good job doing what it sets out to do (including specifically as an input to other quantitative risk calculations).

    Compare what with attack?

    Your methodology heavily relies on “the analysis of cybersecurity experts”, and in particular, frequently references “exploit chains”, mappings which are not clearly defined, and appears to rely on the knowledge of the individual practitioner, rather than existing open frameworks. MITRE ATT&CK and CAPEC already provide such a mapping, as well as a list of threat actor groups leveraging tactics, techniques, and procedures (e.g., exploitation of a given CVE). Here’s a good articlewhich maps similarly to how we operate our cybersecurity program.

    I think there is a lot on the mark in your article about the issues with cybersecurity today, but again, I believe that your premise that CVSS needs replacing is flawed, and I don’t think you provided a compelling case to demonstrate how/why it is flawed. If anything, I think you would agree that if organizations are exclusively using CVSS scores to prioritize remediation, they’re doing it wrong, and fighting an impossible battle. But this means the organization’s approach is wrong, not CVSS itself.

    Your article stands better alone as a proposal for a methodology for quantifying risk and threat to an organization (or society?), rather than as a takedown of CVSS.