Here's my thoughts on the Common Vulnerability Scoring System (CVSS).
CVSS captures the principle characteristics of the software, hardware and firmware vulnerabilities. Proving a universal language to help org understand the severity of the threat, and determine their response.
Basically, "what's the risk, and what will I patch first?"
CVSS does not adequately convey the risk associated with a vulnerability, because it's software explicit and doesn't take into effect the type of software and the impact.
A common example is a vulnerability which exists within a web application; the vulnerability is evaluated based on the impact to the web server, impacts to other systems that may navigate to the web application containing the vulnerability are not taken into account.
The score isn't adequately conveying the risk associated with a known vulnerability; it's just a snapshot in time of what the vulnerability looks like.
For instance, squirrel mail may have a CVSS score of 10 but the impact wouldn't be as severe if it if the vulnerability affected Microsoft Exchange due to the underlying architecture with Windows.
Also, according to Tenable Research, 56% of all vulnerabilities are scored as High (CVSS score of 7.0–8.9) or Critical (CVSS score of 9.0–10.0), regardless of whether they are likely to ever be exploited.
In my opinion its a good system but it needs to be considered within this context.i
------------------------------
Kurt Walther
Unknown
Contractor
------------------------------
Original Message:
Sent: Nov 16, 2022 09:20:47 AM
From: Michael Roza
Subject: NIST Internal Report (IR) 8409, Measuring the Common Vulnerability Scoring System Base Score Equation
Hi All,
NIST has published NIST Internal Report (IR) 8409, Measuring the Common Vulnerability Scoring System Base Score Equation.
Calculating the severity of information technology vulnerabilities is important for prioritizing vulnerability remediation and helping to understand the risk of a vulnerability. The Common Vulnerability Scoring System (CVSS) is a widely used approach for evaluating properties that lead to a successful attack and the effects of successful exploitation. This work evaluates the validity of the CVSS version 3 base score equation in capturing the expert opinion of its maintainers. Performing this analysis is necessary because the equation design has been questioned since it has features that are both unintuitive and unjustified by the CVSS specification. If one can show that the equation reflects CVSS expert opinion, then that study justifies the equation, and the security community can treat the equation as an opaque box that functions as described.
This work shows that the CVSS base score equation closely -- though not perfectly -- represents the CVSS maintainers' expert opinion. These findings validate that the CVSS base score equation represents the CVSS maintainers' domain knowledge to the extent described by these measurements.
@Kurt Seifried
------------------------------
Michael Roza CPA, CISA, CIA, MBA, Exec MBA
------------------------------