SBN

What Does the New CVSS 3.1 Scoring Model Mean for Enterprise Security?

With thousands of security vulnerabilities reported each month in products ranging from hardware devices to firmware to popular software apps, how does one prioritise what needs the most attention? From a business and project management perspective, it makes sense to, first and foremost, allocate engineering and/or risk assessment resources to the most severe vulnerabilities that need immediate patching. Trivial vulnerabilities, which are likely to be practically unexploitable in the current business context, could be addressed at a later time, if at all.

To solve this problem, an open standard, Common Vulnerability Scoring System (CVSS) was devised in 2004 by the National Infrastructure Advisory Council (NIAC).

The CVSS score is a way to assess the severity of a vulnerability. It consists of a base score assigned to a vulnerability, followed by the temporal and environmental scores which further reflect the severity of factors around the vulnerability.

CVSS2-calculatorCVSS 2.0 calculator

CVSS3-calculatorCVSS 3.0 calculator

The initial CVSS standard released to address this problem, however, didn’t undergo a massive peer-review. Only after receiving valuable feedback from industry stakeholders was a version 2.0 introduced with some improvements. However, major noticeable differences were added in CVSS version 3.0 which incorporated additional changes into the Base score, such as replacement of Authentication (Au) with the Privileges Required (PR) parameter and addition of Scope (S).

Over the last decade, CVSS 2.0 and 3.0 scoring has been used most widely when reporting vulnerabilities across NVD, and MITRE, with a few other and miscellaneous platforms taken into consideration.

What Changed in Version 3.1: Context

Where CVSS 2.0 and 3.0 scores could have been ‘erroneously’ employed as a measure of risk arising from a vulnerability, CVSS 3.1 standard, maintained by FIRST (Forum of Incident Response and Security Teams) explicitly clarifies “CVSS (Read more...)

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Akshay 'Ax' Sharma. Read the original post at: https://blog.sonatype.com/what-does-the-new-cvss-3.1-scoring-model-mean-for-enterprise-security