News Analysis: The vendor-neutral attempt to standardize the way security flaws are rated gets a boost from network security vendor Cisco. Will the industry follow?
Network security powerhouse Cisco has rolled out a new enterprise-focused threat advisory service with full support for CVSS, aka the Common Vulnerability Scoring System, the fledgling industry attempt to standardize the way security flaws are rated.
Cisco Systems Inc.s MySDN (My Self-Defending Network)
marks the first public appearance of CVSS in a flaw-warning service.
The MySDN service is a free Web resource set up to deliver advisories about network vulnerabilities and threats that arent caused by bugs in Cisco products, and forms part of the San Jose, Calif.-based companys ambitious ATD (Adaptive Threat Defense) initiative.
Ciscos adoption of CVSS means that flaw warnings will include two severity scores derived strictly from metrics and formulas. For example, a recent alert for a denial-of-service bug
in implementations of the TCP/IP protocol adds CVSS scoring alongside the traditional "medium" risk severity.
The CVSS scoring system is the brainchild of the U.S. Department of Homeland Securitys NAIC (National Infrastructure Advisory Council) and is backed by several high-profile technology firms, including Cisco, Microsoft Corp., eBay Inc., Qualys Inc. and Internet Security Systems Inc.
At its core, the CVSS framework is designed to provide end users with an overall composite score representing the severity and risk of a vulnerability. The metrics and formulas that power the scoring system have been divided into three categoriesbase, temporal and environmentaland promise a vendor-neutral solution to the problem of incompatible severity rating systems.
Heres how it works: Base Metrics, which never changes, is set by the vendor or researcher issuing the advisory and is computed by a strict set of mathematical algorithms. Temporal Metrics, also calculated from metrics and formulas, contain characteristics of the vulnerability that evolve over the lifetime of the security flaw.
The last component, Environmental Metrics, is not included in the advisory. Instead, it is computed by the end user and contains characteristics of the vulnerability that are tied to an implementation in a specific environment.
CVSS is not meant to serve as a threat scoring system (or DHS color warning system), a vulnerability database or a real-time attack scoring system. Instead, backers say CVSS offers the perfect model to provide end users with an overall composite score representing the severity and risk of a vulnerability.
The project recently found a home with FIRST.org,
a nonprofit made up of incident response and security teams worldwide, and supporters expect researchers and vendors to begin following Ciscos lead to make CVSS the de facto standard for severity ratings.
Click here to read more about Ciscos Adaptive Threat Defense initiative.
Mike Caudill, who sits on FIRST.orgs board of directors, believes that widespread adoption of CVSS will remove the existing subjectivity from ratings and lessen the tension between software vendors and private researchers that discover flaws.
Ideally, Caudill said CVSS should complement Mitres CVE (Common Vulnerabilities and Exposures),
which has been widely used to standardize the names for all publicly known vulnerabilities and security exposures.
"Were hoping to get all the response teams internationally to try it out and start using it. There are a handful of organizations and companies trying out CVSS internally to get a feel for the system. We expect to start seeing public implementations as everyone becomes more comfortable," Caudill said in an interview with Ziff Davis Internet News.
FIRST.org has set up a special interest group to evangelize CVSS, and a kickoff meeting is scheduled for the end of June to provide an update on public implementations, he said.
Other vendors adopt CVSS.