How does Security Team decide the level of a threat?

Events happening in the community are now at Drupal community events on www.drupal.org.
Posted by gettysburger on September 8, 2015 at 5:10pm

I am interested in learning about Drupal Security and appreciate the efforts of everyone on the Security Team. I am wondering what the best venue is to gain insight into how the team makes their decisions about what specific things trigger one level or another.

I am working on gaining an understanding of the NIST criteria, but was wondering if there is another venue I should be looking at for insight into the Security Team decisions.

Thanks!

Comments

You should be able to access

Posted by mlhess on September 8, 2015 at 5:23pm

You should be able to access our calculator tool at https://security.drupal.org/riskcalc . The scale is an adapted version of the NVD Common Vulnerability Scoring System. (https://nvd.nist.gov/cvss.cfm?calculator&version=2)

I'm working on a blog about the risk calculator!

Posted by dsnopek on September 9, 2015 at 4:23pm

I'm working on a blog about the risk calculator! I'll post a link here when it's finish :-)

Looking forward to your blog.

Posted by gettysburger on September 9, 2015 at 5:35pm

Thanks. I really appreciate it. I don't have a deep security background but need to get up to speed. I appreciate help unpacking this.

Here's my blog about the Risk Calculator the security team uses to determine the "Security Risk" of security advisories:

http://mydropninja.com/blog/understanding-drupal-security-advisories-risk-calculator

I hope you find it useful!

Please comment on the blog if something is difficult to understand or you wish more information on a particular element was included, etc..

Thanks!
David.

Security

Group organizers

Group notifications

This group offers an RSS feed. Or subscribe to these personalized, sitewide feeds:

AltStyle によって変換されたページ (->オリジナル) /