WhiteHat Security Products

CVSS v3 – Updating Risk Quantification

When managing an organization’s IT infrastructure security program, one can be overwhelmed with large numbers of vulnerability findings. Prioritizing vulnerabilities is an issue because different vendors for different parts of the IT infrastructure (network, DB, application and end points,) find vulnerabilities but sometimes rate them with different proprietary rating methods. Because of this, it can be challenging for organizations to compare and prioritize vulnerabilities and findings across network and application. CVSS overcomes this vulnerability priority challenge by defining common vulnerability scoring system across the entire IT stack.

For those just tuning in to discussions of Risk and Scoring of Risk, FIRST organization is the custodian of the Common Vulnerability Scoring System (CVSS), an open framework to help communicate the characteristics and impacts of various vulnerabilities. This particularly works for vendors who discover vulnerabilities to offer up a score on those vulnerabilities for users to help decide priority and patching urgency. WhiteHat has updated to the v3 version of CVSS as being the most accurate and precise measurement available, to allow a common language for vulnerability management.

What makes up the CVSS score is a combination of factors with different weights. The most important difference between V2 and V3 is the customizability of base score based on customer’s IT security risk profile.

The new CVSS v3.0 Ratings add additional categories (None, Critical) with a more granular breakdown.

In CVSS v2, the impact was scored relative to the underlying operating system (O/S). To a certain extent, that is not always possible for all application types; hence now in CVSS v3 Vector, complexity, privilege, and user interaction are all a function of a vulnerable component rather than the O/S. Confidentiality, integrity and availability will now be scored relative to the impacted component. That means that if a feature in component A is terribly vulnerable, and it makes a bad thing happen in component B, we can measure the end-to-end vulnerability score more accurately with the new CVSS rating system.

Since most organizations need to have discretion about how the CVSS score calculated by vendors to maps to their IT security risk profile, customizability of base score is a very important addition to CVSS V3. This helps them uniformly manage information security across the organization and customize it per their IT security policy, melding application security principles with network security principles in a holistic security way, which is of course the goal of all standardization.

In anticipation of making the switch from CVSS v2 to v3 permanent, WhiteHat also added the ability for customers to set their own customized vulnerabilities, as dictated by their internal security policy and practices.