Slow-Going For Next-Generation Threat-Scoring System
CVSS was commissioned by the National Infrastructure Advisory Council (NIAC) and is backed by the likes of Cisco Systems, Symantec, Internet Security Systems (ISS) and eBay. Unlike proprietary rating systems, CVSS employs standard mathematical equations to determine the severity of threats, factoring in criteria such as whether a vulnerability can be remotely exploited or whether an attacker has to be logged in to exploit the flaw.
Cisco is using CVSS to assess the risk of vulnerability to its own network, said Mike Caudill, incident manager for Cisco's Product Security Incident Response Team (PSIRT). "CVSS gives you a vendor-neutral scoring system, which allows you to evaluate risk and create metrics for diagnosing the severity of vulnerabilities," he said.
The National Vulnerability Database (NVD), which contains all publicly available information on vulnerabilities in vendors' products, provides CVSS base scores on all newly discovered flaws. NVD is sponsored by the Department of Homeland Security's National Cyber Security Division.
"We would encourage vendors to use CVSS as another data point. Right now, if we have a vendor publishing CVSS scores and they're on the light side, people can go check it for themselves," Caudill said.
How Vendors View CVSS
McAfee isn't currently using CVSS in any of its services but is evaluating the system, said Monty Ijzerman, senior manager of the Global Threat Group at McAfee Avert Labs. "We're figuring out if we can use CVSS the way it is -- and if it suits our needs. I'm not sure if it's granular enough to evaluate vulnerabilities," Ijzerman said.
At some point, McAfee might consider using CVSS on its Threat Center website, Ijzerman said. "Currently, we list vulnerabilities on the Threat Center Web site using our own scoring system, but I could envision replacing our own scoring system with CVSS," Ijzerman said, adding that no official decision is imminent.
Symantec is also in the process of determining where CVSS will fit, said Vincent Weafer, senior director of development for Symantec's security response group. "We're certainly going to pick up significant portions of CVSS," Weafer said. "Ideally, we'd like to see DeepSight [ratings] go into a single score."
The X-Force research team at ISS is doing side-by-side comparisons of its legacy rating system with CVSS as it works to make its entire product line CVSS compatible, said Peter Allor, director of intelligence at the Atlanta-based company.
Tough Road Ahead
Although there's definitely a need to keep vendors from downplaying flaws -- and to keep researchers from exaggerating them -- CVSS attempts to calculate factors that often can't be reliably assessed or that depend on an individual's perception, says Thomas Kristensen, CTO at Danish security research firm Secunia. For that reason, Secunia doesn't plan on adopting CVSS anytime soon, Kristensen said.
Stephen Northcutt, president of the SANS Technology Institute, a postgraduate security college, isn't bullish on the prospects of CVSS becoming a standardized method for rating vulnerabilities. "I don't believe the issue will be solved by CVSS," Northcutt said.
A former member of the Common Vulnerabilities and Exposures (CVE) Editorial Board, Northcutt said that group never managed to get many vulnerabilities written down and often became bogged down. "The human process of having to vote as a board is so labor-intensive, if it's not explicitly funded, it doesn't happen," he said.
However, Northcutt does feel it's important to have an index to compare what different vendors are saying about vulnerabilities. "I just don't believe anyone is taking CVSS serious enough to give it the funding it needs to be successful," he said.
Bill Calderwood, president of The Root Group, a Boulder, Co.-based solution provider, says the road to CVSS will be a tough one, but he believes the system can work. "It will require the resources and funding that will ensure staffing levels, skill sets and processes that can provide the information in an accurate and timely fashion," he said.
Jim Krantz, president of Krantz and Associates, a New York-based solution provider, agrees. "Having an independent rating system has some value, but unless you're examining what the systems is doing and how it's doing it, it's difficult to place context on any vendor's flaws," Krantz said.
"Today, we're still doing due diligence on the issues so that we can talk about them with customers -- I don't see any way around that," Krantz added. Symantec is also in the process of determining where CVSS will fit, said Vincent Weafer, senior director of development for Symantec's security response group. "We're certainly going to pick up significant portions of CVSS," Weafer said. "Ideally, we'd like to see DeepSight [ratings] go into a single score."
The X-Force research team at ISS is doing side-by-side comparisons of its legacy rating system with CVSS as it works to make its entire product line CVSS compatible, said Peter Allor, director of intelligence at the Atlanta-based company.
Tough Road Ahead
Although there's definitely a need to keep vendors from downplaying flaws -- and to keep researchers from exaggerating them -- CVSS attempts to calculate factors that often can't be reliably assessed or that depend on an individual's perception, says Thomas Kristensen, CTO at Danish security research firm Secunia. For that reason, Secunia doesn't plan on adopting CVSS anytime soon, Kristensen said.
Stephen Northcutt, president of the SANS Technology Institute, a postgraduate security college, isn't bullish on the prospects of CVSS becoming a standardized method for rating vulnerabilities. "I don't believe the issue will be solved by CVSS," Northcutt said.
A former member of the Common Vulnerabilities and Exposures (CVE) Editorial Board, Northcutt said that group never managed to get many vulnerabilities written down and often became bogged down. "The human process of having to vote as a board is so labor-intensive, if it's not explicitly funded, it doesn't happen," he said.
However, Northcutt does feel it's important to have an index to compare what different vendors are saying about vulnerabilities. "I just don't believe anyone is taking CVSS serious enough to give it the funding it needs to be successful," he said.
Bill Calderwood, president of The Root Group, a Boulder, Co.-based solution provider, says the road to CVSS will be a tough one, but he believes the system can work. "It will require the resources and funding that will ensure staffing levels, skill sets and processes that can provide the information in an accurate and timely fashion," he said.
Jim Krantz, president of Krantz and Associates, a New York-based solution provider, agrees. "Having an independent rating system has some value, but unless you're examining what the systems is doing and how it's doing it, it's difficult to place context on any vendor's flaws," Krantz said.
"Today, we're still doing due diligence on the issues so that we can talk about them with customers -- I don't see any way around that," Krantz added.