#added for google Analystics

Tuesday, September 27, 2005

Common Vulnerability Scoring System (CVSS)

Get Firefox! BEST Read in FireFox Browser. Get your self 1 to enjoy it.

TOUCHPOINT GROUP ImageVisit TOUCHPOINTs Research Reports.
Feel Free to drop a word as your valuable Comment.
SEPTEMBER 27, 2005

An industry group that for the past six months has been developing a common system for rating software flaws announced last week that its proposed approach is ready for broader testing by vendors, corporations and security researchers.

The Common Vulnerability Scoring System (CVSS) is designed to replace the proprietary vulnerability rating systems that vendors now use. The standardized system was commissioned in January by the National Infrastructure Advisory Council, a group of 30 companies that advises President Bush.

The participants involved in developing the CVSS include Cisco Systems Inc., Internet Security Systems Inc., Qualys Inc. and Carnegie Mellon University's CERT Coordination Center. The standard is being managed by the Forum of Incident Response and Security Teams (FIRST), a not-for-profit organization in Research Triangle Park, N.C.
Mike Caudill, chairman of FIRST and a member of Cisco's security response team, said the development of the CVSS is "an attempt to bring some order to the chaos" that currently exists around vulnerability ratings. The standardized approach should help IT managers better prioritize their responses to software flaws by giving them a better idea of the security risks their companies face, Caudill said.
The system uses a scale of 1 to 10 to rate the severity of vulnerabilities and lets users add information that's specific to their IT installations to arrive at a customized risk score.
Cisco has already begun testing the CVSS on its security Web site, Caudill said. And by year's end, Redwood Shores, Calif.-based Qualys plans to start using the new system for rating vulnerabilities as part of its managed security services, said Gerhard Eschelbeck, the company's chief technology officer.
But some issues have to be resolved before the CVSS is ready for broad use, said Jeff Havrilla, vulnerability team leader at CERT. There still needs to be general agreement on all the attributes that have to be considered when rating a flaw's severity and on the semantics for describing the attributes, Havrilla said. He added that tools are needed to automate the scoring process.

The rating system also needs to attract support from other major software vendors, including Microsoft Corp. In a statement sent via e-mail, a Microsoft spokeswoman said that the company has no immediate plans to adopt the CVSS.

"It's still somewhat of a work in progress, but it is an incredibly important effort," said Michael Gavin, an analyst at Forrester Research Inc.