Other Vendors Adopt CVSS
Besides Cisco, at least two vendors have announced plans to roll out public support for CVSS in the coming months. Qualys Inc., which sells on-demand vulnerability management service to enterprise customers, will add CVSS-based scores to its flagship Qualys Guard solution. "Right now, were using a proprietary scoring system that rates vulnerabilities on a scale of 1-5. This summer, well be adding support for CVSS and well be recommending it highly for our customers," said Gerhard Eschelbeck, chief technology officer and vice president of engineering at Qualys.iDefense Inc., of Reston, Va., is also testing CVSS internally and plans to add CVSS scores to its alerts soon. iDefense, which buys the rights to information on security flaws found by underground researchers, will also offer CVSS scores alongside its own proprietary system, said Sunil James, director of vulnerability intelligence. Paying for flaws pays off for iDefense. Click here to read more. In an interview, James said internal testing of CVSS shows the system was "very consistent" with iDefenses own approach, which rates flaws on a tiered scale from minimal to extreme. "Were hoping it will eventually turn into a standard but that means that everyone has to get on board and start testing it." For CVSS to take off, the concept must win acceptance from the big software vendors and security-alerts aggregators. Microsoft Corp., which has a history of disagreeing with private researchers on the severity of flaws in its products, doesnt appear to be in a rush to adopt CVSS. "There is no new news from Microsoft on this. The company has not made any decisions to adopt the CVSS ratings at this time," a spokesperson said in brief statement sent to Ziff Davis Internet News. Microsoft uses a proprietary severity-rating system that is publicly available on its Web site. The federally funded U.S CERT/CC (Computer Emergency Response Team/Coordination Center) is involved with the early work on CVSS, but there are no immediate plans for public implementation. "Part of this work includes evaluation of CVSS for possible use at CERT/CC," a spokesperson explained. Secunia Inc., an alerts aggregator best known for tracking vulnerabilities in more than 4,500 pieces of software and operating systems, does not believe CVSS offers an improvement over its existing rating system. "While I see certain interesting perspectives of the CCVS, I still believe that it attempts to take into account too many factors, which too often cant be reliably assessed or which very much depend on individuals perception of certain issues," said Thomas Kristensen, CTO at Secunia. Kristensen argued that rating of vulnerabilities should merely take into account the factors that can be reliably determined. "This basically boils down to who can exploit this, where can it be exploited from, and what is the ultimate impact. Naturally, it is also interesting if a vulnerability is fixed or if an appropriate workaround is available, but it doesnt change the rating of the issue; if you are vulnerable then the risk remains the same whether the patch is available or not," he said. Kristensen acknowledged that a common rating system could provide an improvement over the existing situation, in which different systems lead to researchers exaggerating the extent of a flaw and vendors often downplaying issues. He said Secunia does not plan to use CVSS. "We have tested it and find that our current rating system is more suitable for Secunia and our customers. One of the things Secunia is widely acknowledged for is the Secunia rating system, ranging from Not Critical to Extremely Critical. We also know that a large number of our customers who previously used a competing solution found our ratings to be better and more understandable," Kristensen added. "I see no reason why Secunia at present should change to or implement a new rating system." iDefenses James believes Secunia should reconsider that decision, arguing that the perceived weaknesses in the CVSS proposal could be fixed. "I look at CVSS as a more granular version of what vendors are trying to do. It will help customers to better understand what vendors are thinking," he said. Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.
"We have a big opportunity to create a universally valid scoring system that is generally accepted in the world," Eschelbeck declared. "Were excited by the fact that CVSS now has a new home at FIRST.org and were looking forward to seeing others push ahead with implementations."