Michael Thumann and me had the chance to give a talk at this year’s ISSE conference in Brussels, Belgium. ISSE was founded in 1999 as an initiative of the European Commission Directorate General Information Society. The con had a focus on eGovernment, electronic business processes and the corresponding security issues.
We talked about the ERRS, the ERNW Rapid Rating System, that can be used to perform a vulnerability rating for findings that result from different kinds of sources. Audits and Pentests will find a vast amount of vulnerabilities in the infrastructure. To deal with these vulnerabilities, you have to use some kind of prioritization in order to use resources effectively. We tried to adopt the strengths from metrics like CVSS and developed our own set of parameters to calculate the metric, focussing on the relevant customer questions concerning vulnerabilities from all kinds of sources.
Feel free to contact us on questions and for feedback concerning ERRS!