Feeds

Federal flaw database commits to grading system

My vuln is worse than yours

Protecting against web application threats using SSL

A federal database of software vulnerabilities funded by the US Department of Homeland Security has decided on a common method of ranking flaw severity and has assigned scores to the more than 13,000 vulnerabilities currently contained in its database, the group announced last week.

The National Vulnerability Database, unveiled in August, completed its conversion over to the Common Vulnerability Scoring System, a industry initiative aimed at standardizing the severity rankings of flaws. The CVSS gives vulnerabilities a base score based on their severity, a temporal score that measures the current danger - which could be lessened by a widely available patch, for example - and an environmental score that measures an organization's reliance on the vulnerable systems.

"There does not exist or ever will exist a perfect technique for scoring vulnerability impact," Mell said. "CVSS appears to work very effectively and it was better than my current scoring system and so it made sense to adopt it."

The move to the Common Vulnerability Scoring System gives the flaw-ranking initiative a major boost. Created by security researchers at networking giant Cisco, vulnerability management software provider Qualys and security company Symantec, the CVSS has not been used widely, though many companies are considering scoring flaws with the system. (SecurityFocus is owned by Symantec.)

The grading of the previous vulnerabilities on the CVE list solves a problem that hampered adoption of the Common Vulnerability Scoring System, said Gerhard Eschelbeck, chief technology officer for Qualys and one of the founding members of the CVSS team.

"With the introduction of CVSS as a standardized vulnerability scoring system, the question appeared, how do we go back and score all the historical vulnerabilities released?" he said. "It is very encouraging to see NVD has taken on this big task, providing comprehensive CVSS scoring for even historical vulnerabilities."

To date, no software vendor has yet graded vulnerabilities in its product using the Common Vulnerability Scoring System. Microsoft, for example, has its own severity-grading system and has considered but not committed to supporting the CVSS. Microsoft's current scoring system - rating flaws as one of four levels of severity - works well for its customers, said a spokesperson for the software giant. The company did not rule out a future move to the ranking system, however.

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
'Speargun' program is fantasy, says cable operator
We just might notice if you cut our cables
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.