Comments on: Risk and CVSS (Post 1)

By: HyunChul

HyunChul — Fri, 19 Feb 2010 10:26:51 +0000

By the way, a vulnerability in CVSS is defined as a software defect which can be exploited by malicious users so that it can potentially cause negative impact.

By: HyunChul

HyunChul — Fri, 19 Feb 2010 10:24:02 +0000

The main goal of CVSS is to standardize software related vulnerabilities mainly , so that we can make it sure that when we say vulnerability A, it is not the same one with vulnerability B among the people.
Also, it can prioritize severity of vulnerabilities. It can help for the administrators which one should be first to be cure. Of course, as you said, it should not be panacea, but still it provides a tremendous services, especially for quantitative software risk analyzes.

By: Chris Hayes

Chris Hayes — Mon, 25 Aug 2008 16:22:02 +0000

Yep, PCI QSAs are using CVSS for vulnerability scoring. However, some of the vendors are not educating the PCI merchant about the portion of CVSS called the “environmental metric group” vectors which can have an impact on the overall CVSS score. As a matter of fact, the CVSS documentation implies that the environmental metrics are not something the vendor(s) can score – because they do not understand each and every organization’s environment. Granted, the environmental vectors are “optional” according to CVSS – but PCI QSAa should provide some value add and educate their clients about assigning the vulnerability in the context of their environment. For PCI gaps, one should separate risk due to the vulnerability itself vs. risk with not being compliant.

Also, some PCI QSAs do not even perform the CVSS method themselves, they just go to the National Vulnerability Database and grab the CVSS score / vector from there. How original is that? High reuse, less work, more profit – less value-add.

By: Ben

Ben — Mon, 25 Aug 2008 11:13:31 +0000

fwiw, PCI uses CVSS for scoring criteria in patch mgmt requirements. That’s when I first encountered it in my consulting, after a client started asking questions about it in order to implement a compliant patch mgmt program.