CVSS v3 Is Still Missing The Target For Prioritization

The Common Vulnerability Scoring System (CVSS) is the leading standard when it comes to rating the severity of vulnerabilities facing software components. Organized by the Forum of Incident and Response Teams (FIRST), CVSS is aimed at providing the community of security professionals with a standard upon which they can understand the vulnerabilities in the software components that they are using for their products.

Under CVSS v3, vulnerabilities are rated according to a set of standard quantitative metrics. First is the Base Score assessment of how exploitable the vulnerability is, asking questions about the attack vector (AV), attack complexity (AC), privileges required (PR), and user interaction (UI), and more. Second, it allows for changes over time with the Temporal metrics, taking into account how mature the exploit code is and the fixes available. Finally, it looks at Environmental metrics like the security requirements that affect the basic aspects of security (confidentiality, integrity, and availability) for the affected data or system, as well as any modifications that should be made to the base score depending on the impact of the vulnerability.

CVSS v2 broke down vulnerability severities into three categories, using the Base Scores: Low, Medium, and High. As is the norm in the development community, there were complaints aplenty as to how CVSS v2 was not up to the task. This led to the development of CVSS v3, which attempts to add a little more nuance, including a Critical group for those vulnerabilities that fall into the 9.0-10 rating bracket, as well as new metrics for scoring like Scope (S) and User Interaction (UI).

Ultimately, this system is aimed at helping teams assess their level of risk and prioritize their remediation operations accordingly. This is a key aspect of any system. Think about storm warnings or other systems where (Read more...)

*** This is a Security Bloggers Network syndicated blog from Blog – WhiteSource authored by Gabriel Avner. Read the original post at: