Released last month, the second version of the Common Vulnerability Scoring System,
CVSS v2 was developed by the Common Vulnerability Scoring System-Special Interest Group, or CVSS-SIG, an industry group made up of vendors, researchers, academics, government agency officials and IT managers interested in promoting a common language and method for ranking IT vulnerabilities. The group is part of an international incident-handling organization called the Forum of Incident Response and Security Teams, or FIRST.
In the first version of CVSS, base, temporal and environmental properties had to be calculated according to a formula as part of a time-consuming process to get a meaningful score for a threat. In version 2, IT managers can determine the level of the threat more quickly by using only the base score to get an accurate picture of system vulnerabilities.
In CVSS v1, IT managers were required to score the temporal and environment portions, said Sasha Romanosky, a doctoral candidate in information security economics at Carnegie Mellon University in Pittsburgh, Penn., and a member of CVSS-SIG. "We found that was a higher barrier to IT managers using it. Because there was more of a learning curve, there was less adoption," he said. It was also a time issue, he said, with many IT managers unable to devote more time to the process.
Version 2 was developed based on feedback from CVSS-SIG members who tested hundreds of real-world vulnerabilities over the past two years, Romanosky said. It provides a "vector," or string of ratings that comes with the base score so IT managers can see what was used to score it, he said.
When you can compare vulnerabilities regardless of the party issuing them, then patching prioritization becomes faster and easier, said Romanosky, who became interested in the project to standardize vulnerability scores after years as a security IT person, most recently at eBay.
"I just thought, as a security guy, what a great idea," Romanosky said. "It would just greatly improve vulnerability management if all vulnerabilities were rated the same way."
Some vendors have adopted CVSS v2 for rating vulnerabilities, so IT managers can easily determine which are most critical to patch, Romanosky said. Companies such Cisco, Oracle, McAfee, Symantec and Qualsys are now using CVSS v2, he said.
Microsoft weighs up CVSS v2
Microsoft uses it own Microsoft Security Response Center Security Bulletin Severity Rating System. Although the company has not embraced CVSS v2 yet, it has been an "active spectator" since the beginning, said Peter Mell, a member of CVSS-SIG and a senior computer scientist in the Computer Security division of the U.S. National Institute of Standards and Technology in Washington, D.C.
Microsoft's rating system uses a list of common names for publicly known computer threats developed by the Common Vulnerabilities and Exposure (CVE), Mell said. The list was created by the CVE Editorial Board, which is made up of information security professionals. By including this standardized list in its vulnerability and patch updates, Microsoft is showing that it is taking steps toward using the CVSS, Mell said.
CVSS-SIG's work on a vendor-neutral common scoring system began in 2003, said Gerard Eschelbeck, chief technology officer of WebRoot Inc., an Internet security company based in Boulder, Colo. He was involved in the development of the standard for the first few years.
"At that time, every week vendors published many different vulnerabilities with many different ratings," Eschelbeck said. "There was everything from most critical to high-medium-low to urgent," he said.
"I think the group has pioneered a model here in scoring, which will help with prioritizing what to patch," Eschelbeck said. "I really think it's just a matter of time before the whole user community sees the values of the system."
Some IT shops at large online enterprises like Amazon.com and eBay are already using CVSS v.2 to rate vulnerabilities, and others are starting to follow suit.
John Citron, a systems administrator for Latran Technologies, a printing technology company based in Bedford, Mass., said he thinks a common scoring system would eliminate a lot of the confusion around vulnerabilities.
"What one vendor passes off as a mere dimple in the surface is sometimes classified as an onerous threat by others," Citron said.