Software Securitys Rating Game

CVSS could help enterprises, but support is lagging.

Exactly one year after the introduction of the Common Vulnerability Scoring System as a vendor-neutral standard to get around the confusion of measuring the severity of security flaws, the ambitious initiative appears stalled by the indifference of some of its own heavyweight backers.

The standard, which was unveiled at last years RSA Conference, has largely been ignored by several of the same software vendors that introduced it—including Microsoft, Oracle, Hewlett-Packard, Sun Microsystems and Symantec. CVSS, which uses strict mathematical calculations to determine the seriousness of software security holes, could provide companies with quantitative data to prioritize security flaws and allocate time and labor accordingly.

But, instead of rallying behind the standard, vendors have largely ignored the security scoring system, putting a damper on expectations that CVSS will replace the wide range of vendor-specific rating systems. As a result, companies still have to rely on a hodgepodge of security rating systems.

Microsoft, with its operating system market dominance, is seen as the elephant in the room, but theres no urgency at the software maker to switch from its proprietary flaw rating system that describes vulnerabilities as "critical," "important," "moderate" or "low."

Gavin Reid, project leader of the Forum of Incident Response and Security Teams, the nonprofit tasked with managing the CVSS initiative, remains encouraged by the handful of companies that have started adding CVSS scores to security alerts.

"It would be nice to have Microsoft and all the other big vendors on board, but I dont think the success of CVSS is dependent on them," Reid said in Research Triangle Park, N.C. "If IT departments find the scoring system valuable to prioritize patching, it doesnt matter whos doing it."

In the past year, CVSS scores have started appearing in advisories from companies such as Cisco Systems, Qualys, Nessus and Skype. In addition, in what amounts to the biggest endorsement for CVSS, the National Institute of Standards and Technologys National Vulnerability Database has completed CVSS scores for more than 15,000 vulnerabilities in its system.

"I dont agree that CVSS adoption has languished at all," said Gerhard Eschelbeck, a security researcher who helped invent the CVSS standard and senior vice president and chief technology officer at Webroot Software, in Boulder, Colo. "Im not surprised we havent conquered the world in one year. But theres a lot of momentum to keep us excited."

Microsoft officials declined to be interviewed for this story. Instead, the Redmond, Wash., company sent a carefully worded statement to eWEEK.

"Microsoft is continually working with their customers to gather their feedback on how to make the process better and more valuable to them and will evaluate that feedback and make changes that best meet the needs of their customers," the statement said.