The CVSS scoring system uses a scale of 1 to 10 to rate the severity of vulnerabilities. Various metrics that have been baked into the scoring standard include the impact of an attack or vulnerability on systems’ availability, the effects on data confidentiality and integrity, how easily the vulnerability can be exploited, and the potential for collateral damage.
CVSS also enables security administrators to enter site-specific information that will provide security risk profiles and scores that are customized to a specific organization and its security practices.
CVSS has been in the works for almost two years now, but this week Cisco started to use and publish CVSS scores on the MySDN service, and provides up-to-date intelligence reports about current vulnerabilities and threats. The company said the Cisco Product Security Incident Response Team or PSIRT will also include severity scores in every security advisory that it issues in 2007.
CVSS promises to transform the way in which network threats are evaluated and dealt with, in the way that the common rating system it provides makes for a framework against which enterprises can start to prioritize their patch routines.
The initiative grew out of efforts at the National Infrastructure Advisory Council, a body that provides policy advice to the US Secretary of Homeland Security to promote a common understanding of network threats.
The CVSS scheme has been tested by about 30 companies since its formal launch in February 2005, and Assuria, CERT/CC, Cisco Systems, IBM, Internet Security Systems, JPCERT/CC, netForensics, Pentest, Qualys, Sintelli, Skybox Security, and Unisys have all since agreed to test the system and look into applicable usage. Businesses such as Union Pacific, American Water, and eBay are among the early adopters.
