CVSS has said to have been tested by about 30 companies since February, and now Assuria, CERT/CC, Cisco Systems, IBM, Internet Security Systems, JPCERT/CC, netForensics, Pentest, Qualys, Sintelli, Skybox Security and Unisys have all agreed to test the system and look into applicable usage.
The CVSS system promises to transform the way in which network threats are evaluated and dealt with, in the way that the common rating system it provides should make for a framework against which enterprises can start to prioritize their patch routines and better manage risk, Ed Cooper, VP of marketing for Skybox the vendor of security risk management software said.
He explained that the system uses a scale of 1 to 10 to rate the severity of vulnerabilities. It also lets organizations input site specific information that will provide them with a risk score which is customized to their operating environment.
Different systems for scoring vulnerabilities are in use today, and these systems use different metrics. CVSS weighs various criteria in a formula that includes measures of the impact of a vulnerability on system availability, data confidentiality and integrity, as well as the potential for collateral damage.
Commercial products like Sybox’s are commonly used to measure the so-called Risk Index Exposure, a rating for assets that are regulated or are valued by an organization. That is very useful as a means of establishing a threshold for each application, and how much risk can be tolerated. But the posture will change over time, as network changes are made, as new vulnerabilities appear, or threats shift in their level of aggressiveness. With CVSS that aspect can be normalized and correlated into a common system.
The company said the group is working together to build on the first-generation framework that has already been developed, in order to come up with a system that is usable and accepted across the industry.
CVSS has three components and includes a baseline vulnerability severity, which is then adjusted with temporal and environmental modifiers, so that any given bug has a different score depending on the time and the enterprise’s own network. As such, it provides a scoring mechanism that rates how secure a network is and stands as a basis for comparison against comparable peer network.
The new rating system is being backed by the Forum of Incident Response and Security Teams, and the body will encourage IT executives to start testing the index as one way to address the issues caused by the numerous incompatible scoring systems currently in place.
So far Microsoft has not publicly shown any close interest in the CVSS scheme, despite its operating systems being the largest source of vulnerabilities on corporate networks.
