Vulnerability Management

Cleaning up the CVSS

Considering the frequency by which IT vendors release both scheduled and unexpected security updates, from Oracle to Adobe to Microsoft, prioritization is a key part of the patching strategy of any customer.  

That mindset was the impetus behind the 2005 creation of the Common Vulnerability Scoring System (CVSS), a common standard created by FIRST (Forum of Incident Response and Security Teams), used to convey the traits and ramifications of a security flaw. Since its release, a number of leading IT vendors have embraced the scoring system, and it's seen significant adoption within Fortune 500 businesses to custom assess the severity of patches. But, while standardized vulnerability scores are essential, CVSS suffers from some flaws, said Brian Martin, content manager of the Open Source Vulnerability Database.

For instance, the framework gauges authentication and access complexity using outdated parameters, failing to consider the modern-day scenarios in which an attacker can become authenticated or a malicious PDF can spread.

“[There] are examples where it's overly simplified,” said Martin, who joined colleague Carsten Eiram in recently co-authoring an open letter to FIRST in advance of CVSS version 3, now under consideration. “You have to find a good balance between a granular scoring system and one that's easy to use.”

More difficult to remediate in the next CVSS version is the specificity of bug information that the affected software and hardware makers provide to organizations like the National Vulnerability Database to generate CVSS scores. In some cases, after all of the details eventually became public, it was apparent that certain flaws didn't deserve the high scores they received. But that's not before businesses may have thrown resources – or weekend work – at repairing a problem they could have waited on. “You don't have to give us all the technical details, but give us enough,” Martin said of IT makers.

Seth Hanford, chairman of FIRST's CVSS Special Interest Group, said many of the concerns raised by Martin and Eiram will be worked into the v3 release, scheduled for summer 2014.

“Virtualization, a major shift into threats targeting client-side vulnerabilities, and a greater need to capture more information about vulnerabilities – among other things – are all driving us to the improvements we have planned for v3,” he said in an email.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.