Industry Group Urges Adoption of Vulnerability Scoring System

The Forum of Incident Response and Security Teams (FIRST) -- a not-for-profit network of computer security incident response teams representing government, law enforcement, commercial, education and other organizations worldwide -- has joined industry leaders in urging organizations throughout the global Information Technology (IT) community to test the first Common Vulnerability Scoring System (CVSS). FIRST is hosting and serving as custodian for updates to the CVSS, designed to give security professionals, business executives and end users across industries a standard language for measuring vulnerabilities of networked information systems and prioritizing responses.

Different systems for scoring vulnerabilities are in use today. Frequently "home-grown" (developed for specific organizations by their specific IT departments), these systems use different metrics, tend to be Internet-centric, fail to universally accommodate change and do not have provisions for operational environments of varying risk profiles. The CVSS development team sought to overcome these shortcomings and create a system that is freely available and simple to use by anyone, in any operational environment, for measuring any potential vulnerability. The metrics weighed in the CVSS formulas include impact to system availability, data confidentiality and integrity, as well as the vulnerability's exploitability and potential for collateral damage.

CVSS was designed by a team of companies, including Cisco Systems Inc., eBay, Internet Security Systems and Qualys Inc. in support of the U.S. National Infrastructure Advisory Council (NIAC). It is a simple, open, vendor-agnostic system that factors seven base metrics along with time- and environment-dependent metrics in assigning a composite score representing the overall risk presented by a vulnerability.

"CVSS solves the problem of multiple, incompatible scoring systems and is usable and understandable by anyone," said Gavin Reid, FIRST's CVSS project manager and a member of Cisco's Computer Security Incident Response Team. "Because the framework is in its first-generation stage, there is a need for active participation and feedback within the global IT community. FIRST's goal is to increase the scoring system's usability and acceptance across industries."

At the initial meeting of FIRST's CVSS Special Interest Group, early adopters of the system, including Assuria, CERT/CC, Cisco Systems, IBM, Internet Security Systems, JPCERT/CC, netForensics, Pentest Ltd., Qualys, Sintelli, Skybox Security and Unisys, agreed to test the system and look into applicable usage within their companies. More than 30 governments and vendors were represented at a meeting in Singapore last July.

"Through CVSS, the security industry has made incredible progress in creating a common language for understanding vulnerabilities and threats," said Gerhard Eschelbeck, one of the designers of CVSS and chief technical officer of Qualys. "There are already a number of organizations who have committed to CVSS and begun implementation. With the resources and focus of the FIRST team, we'll be able to take this initiative to the next level of widespread adoption."

IT specialists interested in finding out how they can participate and reviewing the CVSS framework and tools to facilitate end-user scoring can FIRST online.