7

Our company is developing a web app that is used for e-commerce. We want to establish a more formal scoring system for any security related issues eventually reported by us or by our clients. The purpose is to prioritize the patch development and in the same time to communicate the severity to the clients.

So far we evaluated the Common Vulnerability Scoring System. It seems simple and accurate (skipping the environmental metrics) and there are online calculators for scoring. Further it is simple to develop our own calculator.

My question is - what are the most popular alternatives of CVSS? What are the pros and cons compared with CVSS? Is there something like a comparison cheat-sheet so that we can easily find our way or we need to make a serious evaluation of several more systems?

Lachezar Balev
  • 537
  • 1
  • 3
  • 10

5 Answers5

6

Tony Cox and Jeff Lowder have provided some excellent commentary on CVSS (Indeed SIRA includes lots of good discussion). Their goal is bit broader than yours, but I think that the referenced article provides an index to commentary about CVSS. @Metahuman's post points out that CVSS can be supplemented.

The Department of State's iPost system found that CVSS scoring over estimated the value of unimportant risks; if I recall correctly they simply cubed the values to emphasize the serious stuff. State's iPost is the model (albeit a flawed model according to the Department of State Inspector General) for the DHS CAESARS - but both of those are more architectural than your goal.

CVSS is a flawed standard - I know that there are active efforts to revise/reform it. There is considerable subjectivity in the ratings - I can't find the reference at this moment, but someone ran a test where they gave several experts the same information about a vulnerability and they used the CVSS process but came up with very different answers. But it is a standard. It is an excellent place to start for a project such as yours where you're looking for a reference standard without the effort of creating your own methodology. You can use CVSS (and CWE) as starting points, and then do what @Colin Cassidy calls "magic maths".

CVSS is system-centric; it ignores architectural security features, and it probably undervalues vulnerabilities where the web/cloud is the delivery vector. I'd want to look at OWASP and Veris for more statistical information about real world exploits rather than on theoretical models.

I probably wouldn't ignore the environmental metrics; indeed in the medium term, I'd use the components of CVSS to begin to roll your own vulnerability score that is more closely fitted to your needs.

MCW
  • 2,572
  • 1
  • 15
  • 26
5

We use a scoring system based on DREAD where we score the 5 elements

  • Damage, how bad is the vulnerability
  • Reliability, does the vulnerability work all the time or just some of the time
  • Exploitability, how much effort is it to exploit the vulnerability
  • Affected Users, number of people impacted
  • Discoverability, how easy would to be to discover this vulnerability

out of 5, where we have defined roughly what the scores 1 to 5 means for our product and these categories. We then do some magic maths to come up with a severity and priority for the vulnerability. See David LeBlanc's post for more details. We find that that this method has a couple of advantages, firstly we can state what the scores mean for our product, secondly its surprisingly easy for managers to understand :)

Glorfindel
  • 2,235
  • 6
  • 18
  • 30
Colin Cassidy
  • 1,880
  • 11
  • 19
4

Based on your requirements, you might want to look at Common Weakness Enumeration (CWE). http://cwe.mitre.org/about/index.html.

It is a community backed solution for describing software security vulnerabilities, and as a baseline for vulnerability remediation activities.

Metahuman
  • 493
  • 1
  • 5
  • 12
2

CVSS is a reasonable system for evaluating vulnerabilities, and is a good framework for determining possible technical impact, however it's only part of the story. What matters to a business is how much money it can potentially lose if a vulnerability is exploited, or the system goes down. If a vulnerability could be introduced that could be used to create a minor denial of service condition it would cause the company less loss than one that could be used to create false orders for example.

Management thinks in terms of monetary units, so you have to express risk in terms of monetary loss. Development costs the company money, they won't fix bugs unless the potential for loss is greater then the cost of development to fix the bugs.

GdD
  • 17,291
  • 2
  • 41
  • 63
  • What you say is correct and the CVSS addresses it in its environmental metrics, more specifically in the "Collateral Damage Potential" and to certain extent in the "Security Requirements". Of course "money" is replaced with "property" :-). I deliberately noted, that we skip the environmental metrics since it is really very specific to the different client. A minor DoS attack may be serious for a big client but is not an issue for some smaller players. Thus we cannot really evaluate this on our side. – Lachezar Balev Oct 03 '12 at 07:59
  • @lucho CDP is designed to express the *maximum* potential fiscal loss, based on your current client list. As such, assume that all of your clients get affected by the issue (where applicable) - how much will it cost you? – Polynomial Oct 03 '12 at 11:57
  • 1
    @lucho, the CVE environmental metrics really tell you how other systems could be effected, CVE doesn't really give any structure on how to figure out your potential monetary exposure. That really depends on your organization. – GdD Oct 03 '12 at 12:09
  • @Polynomial we have clients that make 3 orders per day but there are some with 3000 and there are many that refuse to give such information at all. So it is difficult to estimate how much will cost us or them. Does it mean that we should skip the environmental metrics altogether? Or we may create a rough estimation (actually CVSS does not contain any numbers)? And is it reliable to communicate CVSS scores to clients without including these metrics? – Lachezar Balev Oct 03 '12 at 12:19
  • Agreed. CVE is for technical impact analysis, not financial. You need your legal and financial guys to help you out with a risk analysis. – Polynomial Oct 03 '12 at 12:19
  • 2
    @lucho If you're presenting projected financial losses to a client, CVSS isn't what you want. It's purely for expressing technical impact, from which you can extrapolate potential information losses, and finally project costs. Extrapolation of losses is done by identifying what you're protecting, and how those assets might be affected by the issues you document and score with CVSS. From that, you have to work out what the maximum fiscal impact is of having those information assets compromised. CVSS doesn't do that - it's a separate task. – Polynomial Oct 03 '12 at 12:21
  • @Polynomial so it seems to me that if we want to communicate the technical impact we would have to skip the environmental metrics? – Lachezar Balev Oct 03 '12 at 12:23
  • 1
    @lucho The environmental metrics are designed to *store* the results of your fiscal impact assessment. You don't need to skip them, you just need to do the financial assessment. If that's outside the scope of your analysis, then you *can* skip them. – Polynomial Oct 03 '12 at 12:25
0

I prefer performing 2 scores when using quantitative risk analysis data for information security management and risk management purposes.

1) FTA or Fault-Tree Analysis. This is done using a bottom-up approach
2) FMEA or Failure mode and effects analysis. Done using top-down approach

atdre
  • 18,885
  • 6
  • 58
  • 107