June 2021
Beginner to intermediate
355 pages
5h 5m
Chinese
Content preview from Web应用程序安全
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.
268
|
第
21
章
21.3
通用漏洞评分系统
CVSS
是一个免费发布的漏洞评分系统,根据漏洞的被利用的容易程度,以
及成功利用后可能危害到的数据或流程的类型,对漏洞进行排名(见图
21-
1
)。对于预算有限或缺乏专门安全工程师的组织来说,
CVSS
是一个很好的
出发点。
图
21
-
1
:CVSS 是一个经过时间检验的漏洞评分系统,可以在网上免费获得,并有详细的
文档
CVSS
的目的是作为通用的漏洞评分系统,因此它经常被人诟病,因为它不能
准确地对所有类型的系统或罕见的、独特的或链式的漏洞进行评分。话虽如此,
但作为一个通用的漏洞评分系统,针对常见的(
OWASP
前
10
名)漏洞,这
个开放的漏洞评分框架已经做得很好了。
在写这篇文章的时候,
CVSS
系统的版本是
3.1
,它将漏洞评分分为几个重要
的子部分:
•
基础分——漏洞本身的基础评分。
漏洞管理
|
269
•
时间分——随着时间推移,漏洞的严重性评分。
•
环境分——根据漏洞所处的环境打分。
最常用的是
CVSS
基础分,而时间分和环境分只在比较高级的情况下才会使
用。让我们来深入了解一下这些评分的每一个评分。
21.3.1 CVSS
:基础评分
CVSS v3.1
基础评分算法需要八个输入项(见图
21-2
):
•
攻击区域(
AV
)。
•
攻击复杂性(
AC
)。
•
所需权限(
PR
)。
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Read now
Unlock full access
More than 5,000 organizations count on O’Reilly
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.Julian F.
I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.Addison B.
I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.Amir M.
I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.