Leading IT companies including Cisco Systems, Microsoft , and Symantec are promoting a rating system that will standardize
the measurement of the severity of software vulnerabilities.
A plan for the new system, called the Common Vulnerability Scoring System (CVSS), was unveiled at the RSA Conference in San
Francisco on Thursday. If widely adopted, the new system will provide a common language for describing the seriousness of
computer security vulnerabilities and replace different, vendor-specific rating systems, according to a presentation on the
system by Mike Schiffman, a researcher at Cisco.
The new scoring system is part of a project by the National Infrastructure Advisory Council to create a global framework for
disclosing information about security vulnerabilities. Representatives from across government and industry contributed to
the new CVSS proposal, including eBay, Qualys, Internet Security Systems, and Mitre.
NIAC is part of the U.S. Department of Homeland Security and is concerned with the security of information systems that support
critical infrastructure for areas such as banking, finance, transportation, energy, and manufacturing.
CVSS will use standard mathematical equations to calculate the severity of new vulnerabilities based on basic information
such as whether a vulnerability can be remotely exploited, or whether an attacker must log in to a vulnerable system before
being able to take advantage of a security hole, said Gerhard Eschelbeck of Qualys.
CVSS ratings will also consider timing issues, such as whether an exploit or a software patch for a specific vulnerability
is available, and how long it has been available, he said.
The new rating system will be akin to the Common Vulnerabilities and Exposures (CVE) database that is maintained by Mitre
and provides standard identifiers and information about software holes. As with CVE, vendors will most likely use CVSS ratings
as a common base of reference, but continue to offer their own analysis or threat assessments, Eschelbeck said.
IT security vendors will use the CVSS in their products to evaluate and prioritize software vulnerabilities. Vendors will
also be asked to provide ways for customers to enter information about their IT environment, such as the number and type of
systems affected, before calculating a final CVSS rating, he said.
For example, a remotely exploitable vulnerability that affects a worker's desktop system might have a different CVSS rating
than one that affects a critical payroll or human resources server, Eschelbeck said.
The system will be different from rating systems such as Symantec's ARIS attack scoring system because it will not be used
as a warning system for malicious code outbreaks, according to Schiffman's presentation.
CVSS has backing from major IT players and a detailed plan for implementation. However, the system doesn't yet have a home.
Organizers are looking for companies or organizations, such as NIAC or Mitre, to host CVSS and provide portals for Internet
users and IT vendors to access the information, Eschelbeck said.
Once it has a host and is widely implemented, CVSS will give IT administrators and vendors an easy way to assess the relative
risk of software vulnerabilities and to prioritize patching on large networks, he said.
"It used to be that people never patched their systems, and that didn't work. Then the common wisdom was that you had to patch
everything, and that wasn't realistic, either," Eschelbeck said.
"The truth is somewhere in the middle of the two, and prioritization is the key to that," he said.
E-mail
Printer Friendly
Reprints
(InfoWorld) - In the litigious world we live in, deploying a unified communications platform in your enterprise could...
