Well I'm one of those groups (dba and manager) and it seems to me that CVSS
only really helps where the organisation doesn't have a basis for discussion
already. In particular it's a little overstating the case to state that CVSS
is objective given that it scores based on subjective judgements on a number
of the core elements of the score (eg collateral damage potential). In
addition it's difficult to see how to relate CVSS scores to dollar cost of
implementing the fixes. Especially as the dollar cost may not be known -
applying a cpu may require one or more application code updates and
associated testing. So for example the Oct CPU score for my organisation I
calculate as 5.9. Is that enough to delay a project promised before year end
or not? That in the end can't be an objective decision. Suppose I decide it
doesn't justify it, and go through a similar process with the next 2 CPUs
(say they score 5.8 and 6.3). Does the fact of not having applied 2 previous
CPUs affect how I use the score of 6.3 in 6 months time?
--
Niall Litchfield
Oracle DBA
http://www.orawin.info
--
http://www.freelists.org/webpage/oracle-l
Received on Mon Nov 26 2007 - 09:38:19 CST
