Feeds

Federal flaw database commits to grading system

My vuln is worse than yours

Securing Web Applications Made Simple and Scalable

A federal database of software vulnerabilities funded by the US Department of Homeland Security has decided on a common method of ranking flaw severity and has assigned scores to the more than 13,000 vulnerabilities currently contained in its database, the group announced last week.

The National Vulnerability Database, unveiled in August, completed its conversion over to the Common Vulnerability Scoring System, a industry initiative aimed at standardizing the severity rankings of flaws. The CVSS gives vulnerabilities a base score based on their severity, a temporal score that measures the current danger - which could be lessened by a widely available patch, for example - and an environmental score that measures an organization's reliance on the vulnerable systems.

"There does not exist or ever will exist a perfect technique for scoring vulnerability impact," Mell said. "CVSS appears to work very effectively and it was better than my current scoring system and so it made sense to adopt it."

The move to the Common Vulnerability Scoring System gives the flaw-ranking initiative a major boost. Created by security researchers at networking giant Cisco, vulnerability management software provider Qualys and security company Symantec, the CVSS has not been used widely, though many companies are considering scoring flaws with the system. (SecurityFocus is owned by Symantec.)

The grading of the previous vulnerabilities on the CVE list solves a problem that hampered adoption of the Common Vulnerability Scoring System, said Gerhard Eschelbeck, chief technology officer for Qualys and one of the founding members of the CVSS team.

"With the introduction of CVSS as a standardized vulnerability scoring system, the question appeared, how do we go back and score all the historical vulnerabilities released?" he said. "It is very encouraging to see NVD has taken on this big task, providing comprehensive CVSS scoring for even historical vulnerabilities."

To date, no software vendor has yet graded vulnerabilities in its product using the Common Vulnerability Scoring System. Microsoft, for example, has its own severity-grading system and has considered but not committed to supporting the CVSS. Microsoft's current scoring system - rating flaws as one of four levels of severity - works well for its customers, said a spokesperson for the software giant. The company did not rule out a future move to the ranking system, however.

The smart choice: opportunity from uncertainty

More from The Register

next story
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.