A while ago, after a lot of great research and work (mostly by Michael Hess), we rolled out a new style of scoring individual security advisories. The system is based on NIST's scoring at https://t.co/Pvhzn9CHP2
For example, a recent issue had a "score" of
7/25 AC:Basic/A:Admin/CI:None/II:None/E:Theoretical/TD:All
The score and coding is meant to explain the risk, but it's rather cryptic.
To try to be more "human friendly" we also still say things like "Highly Critical" and "Less Critical" and "Not Critical".
The format of the title of advisories recently switched to put the most import information at the front of the title.
For example, the new format is: Apache Solr Real-Time - Critical - Access Bypass - SA-CONTRIB-2015-119 while the old format would have been "SA-CONTRIB-2015-119 - Apache Solr Real-Time - Access Bypass" which leaves the recipient to dig into the body to see how critical it is.
What do folks think about these changes?
What further changes should we consider?
Comments
I always forget what I have
I always forget what I have to fill out for a standard XSS issue when creating the advisory draft on security.drupal.org. Se we should have common patterns of the 5 scores for XSS, CSRF etc that will be similar in such cases.
Yes, this seems like
Yes, this seems like something we should solve in our internal docs for the team.
I'm more interested in discussion of how Drupal admins who are receiving the reports perceive this information.
knaddison blog | Morris Animal Foundation
I think the changes are a
I think the changes are a great idea :) Anything which lets a sysadmin quickly identify security issues which are likely to have an impact on code which they maintain is a Good Thing.
I know I for one am guilty of burying my head in the sand sometimes when it comes to dealing with security issues - often, the Drupal security advisories arrive in my inbox around the same time I arrive at home after a long work day, and despite the best of intentions, by the time I arrive in work the following morning ready for a productive day, they're long-forgotten.
/Alex
I definitely noticed the
I definitely noticed the change, and it is a good one. I could see what project is affected and the severity. This immediately told me how relevant the message.
What about Critical first?
I know it is minor, but I think I would prefer to see the severity first followed by the package and further details. I do like the "human readable" aspect, though.
This way I could set up a rule for "Critical" to be made more visible (colors, importance, etc.) instead of wading through all if there are a lot that comes out at once.
Example:
Critical - Apache Solr Real-Time - Access Bypass - SA-CONTRIB-2015-119
Or I could use that to sort the email alearts and put all the "Critical" together for addressing.
The next thing I usually do is look to see what it effects (and then which version) before reading the details of what is going on & etc.
But that's just me. I only run a fairly basic site for the company.
It's a tricky thing to get
It's a tricky thing to get right. I believe the logic was that there are thousands of modules and yet most people only care about ~30-100 of them. The first item in the subject should be the bit of text that can best determine if the advisory applies to a given site which is definitely the module name. I think you can still create rules for the critical text, it might give a false positive if a module is called "Critical" but that seems like an acceptable edge case ;)
knaddison blog | Morris Animal Foundation
It's a great idea to have the score in the subject line.
I really appreciate having the level of a security problem in the status line.
I'm fine with it where it occurs now because I can first decide whether the module applies to my installations before I concern myself any further. Then I work through the criticals first.
I can see that it might be useful to have the level first if you want to order the security advisories by level within your email client but that's never really been an issue for me.
Kind regards and thanks for the work on this
lesleyb