Ratings Game: Security Flaw Scoring System Flounders

A quantitative system to rate software security flaws could be a big help to enterprises, but so far the standard is lagging.

Exactly one year after the introduction of the Common Vulnerability Scoring System as a vendor-neutral standard to get around the confusion of measuring the severity of security flaws, the ambitious initiative appears stalled by the indifference of some of its own heavyweight backers.

The standard, which was unveiled a year ago at the RSA Conference, has largely been ignored by several of the same software vendors—including Microsoft, Oracle, Hewlett-Packard, Sun Microsystems and Symantec—that introduced it.

CVSS, which uses strict mathematical calculations to determine the seriousness of software security holes, could provide companies with quantitative data to prioritize security flaws and allocate time and labor accordingly.

/zimages/3/28571.gifClick here to read about how Cisco implemented a free threat advisory service with full support for the Common Vulnerability Scoring System.

But instead of rallying behind the standard, vendors have largely ignored the security scoring system, putting a damper on expectations that CVSS will replace the wide range of vendor-specific rating systems. As a result, companies still have to rely on a hodge-podge of security rating systems.

Microsoft, with its operating system market dominance, is seen as the elephant in the room, but theres no urgency at the Redmond, Wash., software maker to switch from its proprietary flaw rating system that describes vulnerabilities as "critical," "important," "moderate" or "low." Gavin Reid, project leader of FIRST.org, the nonprofit tasked with managing the CVSS initiative, remains encouraged by the handful of companies that have started adding CVSS scores to security alerts.

"It would be nice to have Microsoft and all the other big vendors on board, but I dont think the success of CVSS is dependent on them," Reid said. "If IT departments find the scoring system valuable to prioritize patching, it doesnt matter whos doing it."

In the past year, CVSS scores have started appearing in advisories from companies like Cisco, Qualys, Nessus and Skype. In addition, in what amounts to the biggest endorsement for CVSS, the National Institute of Standards and Technologys National Vulnerability Database has completed CVSS scores for more than 15,000 vulnerabilities in its system.

Peter Mell, the NIST computer scientist who created the National Vulnerability Database, believes full-scale adoption of CVSS will be driven by IT departments that rely on the scoring system to write and implement software patching policies.

/zimages/3/28571.gifClick here to read about Ciscos Adaptive Threat Defense Initiative.

"More and more, businesses will look at the CVSS score and make a quick determination [on patching priorities]. I believe that the impact of CVSS should not be measured by software vendor interest but by the usefulness to the end user," he declared.

Gerhard Eschelbeck, a security researcher who helped invent the CVSS standard and is senior vice president at Webroot Software, shares Mells optimism. "After a year, maybe we did not make the progress that was anticipated, but I dont agree that CVSS adoption has languished at all," he said. "I think CVSS is going to take another year or two to get another 10 big vendors on board, but in the long run, theres no question that this is the right thing to do."

Microsoft declined to be interviewed for this story. Instead, the company sent a carefully worded statement to eWEEK to emphasize that its future decisions will be based on customer feedback.

"Microsoft is continually working with their customers to gather their feedback on how to make the process better and more valuable to them and will evaluate that feedback and make changes that best meet the needs of their customers," the statement said.

Mike Caudill, incident manager at Ciscos PSIRT (Product Security Incident Response Team) and a member of the FIRST.org board of directors, thinks its unfair to attach the success or failure of CVSS to any one vendor, even if its Microsoft or Oracle.

"The fact that they havent directly supported CVSS in their advisories is their choice," he said. "But, if I want a CVSS score for a Microsoft bulletin, theres a place I can find it. When people start asking for it, you will see Microsoft and all the other vendors start providing it."

Cisco was among the first to publicly distribute CVSS scores in advisories, and Caudill said the company will continue to be a big supporter of the concept.

According to FIRST.orgs Reid, the adoption rates in the first year have been above expectations. "We took an abstract methodology and created a scoring system around that. A year ago, this was a theoretical white paper. One year later, we can say with certainty that the theory is sound," he said.

As Eschelbeck puts it, "Im not surprised we havent conquered the world in one year. But theres a lot of momentum to keep us excited."

Even without Microsoft.

/zimages/3/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.