Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Split safety impact into supplier / deployer safety impacts #1

Closed
ahouseholder opened this issue Sep 9, 2020 · 2 comments · Fixed by #51
Closed

Split safety impact into supplier / deployer safety impacts #1

ahouseholder opened this issue Sep 9, 2020 · 2 comments · Fixed by #51
Assignees
@ahouseholder @j---
Labels
enhancement New feature or request
Milestone
SSVC v2.0

Comments

@ahouseholder
Copy link
Contributor

ahouseholder commented Sep 9, 2020
edited

(This was actually from @j--- I think, I just copied & pasted the text into the issue, so be careful when dereferencing the pronoun "I" in the below)
"Safety Impact" probably needs to be split up into one for the vendor and one for the applier. I think the vendor one could be re-used by a coordinator. I'd call it "public safety impact" or some such. The Applier one would be "situated safety impact" or some such.
@ahouseholder ahouseholder added the enhancement New feature or request label Sep 9, 2020
This was referenced Sep 9, 2020
Closed
Closed
Closed
@ahouseholder ahouseholder added this to the SSVC v2 milestone Oct 2, 2020
@j---
Copy link
Collaborator

j--- commented Oct 8, 2020

This is also related to feedback from https://blog.secursive.com/posts/critical-look-stakeholder-specific-vulnerability-categorization-ssvc/
Basically that "safety impact" as written in v1 is too complicated / fine grained for the supplier to provide accurately.

@ahouseholder ahouseholder changed the title Split safety impact into vendor / applier safety impacts Split safety impact into supplier / deployer safety impacts Oct 16, 2020
@ahouseholder
Copy link
Contributor Author

ahouseholder commented Oct 16, 2020
edited

Updated plan based on recent discussions:

  • Combine none/minor categories into one, leaving 4 levels
  • Split safety into separate decisions for supplier / deployer
  • Supplier is focused on public_safety
  • Supplier maps those 4 levels to 2 (maybe 3) public_safety_impact categories (L/H or L/M/H)
  • Deployer is focused on situated_safety
  • Deployer version integrated with Mission Impact Merge situated safety impact and mission impact into a unified factor #7 in a ~4x4 table that maps both dimensions impact into a combined 3 safety&mission_impact categories (L/M/H)

End result for Deployers will be that safety & mission will go from 5x5=25 possibilities to 4x4 -> 3 categories which should reduce the complexity of the deployer tree considerably.

This was referenced Oct 16, 2020
Closed
Closed
@ahouseholder ahouseholder mentioned this issue Oct 26, 2020
Closed
ahouseholder referenced this issue in ahouseholder/SSVC Oct 26, 2020
@ahouseholder
Compress safety and mission impacts fix for #1(+11 squashed commits)
4c76ef9 
Squashed commits:
[07497bd] compress SafetyImpact into PublicSafetyImpact
[6b9c932] ignore a helper xlsx file
[576f968] reset inadvertent change
[419349d] remove index on supplier csv (+1 squashed commit)
Squashed commits:
[6486a57] add full supplier csv
[6918107] remove index on simplified csv (+1 squashed commit)
Squashed commits:
[1845f90] add simplified csv
[7d07685] add combined safety/mission impact column
[52dd62a] remove duplicates after collapsing from 5-4. Keep highest outcome
[898a082] collapse two lowest mission and safety impacts into one level each and remove duplicates
[b344dea] remove row indices (make future diffs cleaner)
[420559c] copy csv files for version 2
[d07e953] fix some straggling Applier / Developers (+2 squashed commits)
Squashed commits:
[878a91d] wip commit (+1 squashed commit)
Squashed commits:
[59637d6] fix applier/deployer sub

wip commit
[80dd092] revert unintended change
This was referenced Oct 26, 2020
Merged
Closed
zmanion added a commit that referenced this issue Oct 29, 2020
@zmanion
Merge pull request #51 from ahouseholder/feature/fix_1
aa55a3c 
Compress safety and mission impacts fix for #1 (+11 squashed commits)
laurie-tyz added a commit that referenced this issue Oct 30, 2020
@laurie-tyz
Merge pull request #1 from CERTCC/main
dbc0341 
getting a fresh copy of the repository
j--- pushed a commit that referenced this issue Nov 24, 2020
@laurie-tyz
Merge pull request #1 from CERTCC/main
1cfe69b 
Update
@j--- j--- mentioned this issue Oct 12, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ahouseholder ahouseholder

@j--- j---

Labels
enhancement New feature or request
Projects
None yet
Milestone
SSVC v2.0
2 participants
@ahouseholder @j---