Feeds

Federal flaw database commits to grading system

My vuln is worse than yours

3 Big data security analytics techniques

A federal database of software vulnerabilities funded by the US Department of Homeland Security has decided on a common method of ranking flaw severity and has assigned scores to the more than 13,000 vulnerabilities currently contained in its database, the group announced last week.

The National Vulnerability Database, unveiled in August, completed its conversion over to the Common Vulnerability Scoring System, a industry initiative aimed at standardizing the severity rankings of flaws. The CVSS gives vulnerabilities a base score based on their severity, a temporal score that measures the current danger - which could be lessened by a widely available patch, for example - and an environmental score that measures an organization's reliance on the vulnerable systems.

"There does not exist or ever will exist a perfect technique for scoring vulnerability impact," Mell said. "CVSS appears to work very effectively and it was better than my current scoring system and so it made sense to adopt it."

The move to the Common Vulnerability Scoring System gives the flaw-ranking initiative a major boost. Created by security researchers at networking giant Cisco, vulnerability management software provider Qualys and security company Symantec, the CVSS has not been used widely, though many companies are considering scoring flaws with the system. (SecurityFocus is owned by Symantec.)

The grading of the previous vulnerabilities on the CVE list solves a problem that hampered adoption of the Common Vulnerability Scoring System, said Gerhard Eschelbeck, chief technology officer for Qualys and one of the founding members of the CVSS team.

"With the introduction of CVSS as a standardized vulnerability scoring system, the question appeared, how do we go back and score all the historical vulnerabilities released?" he said. "It is very encouraging to see NVD has taken on this big task, providing comprehensive CVSS scoring for even historical vulnerabilities."

To date, no software vendor has yet graded vulnerabilities in its product using the Common Vulnerability Scoring System. Microsoft, for example, has its own severity-grading system and has considered but not committed to supporting the CVSS. Microsoft's current scoring system - rating flaws as one of four levels of severity - works well for its customers, said a spokesperson for the software giant. The company did not rule out a future move to the ranking system, however.

3 Big data security analytics techniques

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
Arts and crafts store Michaels says 3 million credit cards exposed in breach
Meanwhile, Target investigators prepare for long process in nabbing hackers
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.