- CVSS
-
Common Vulnerability Scoring System (CVSS) is an industry standard for assessing the severity of computer system security vulnerabilities. It attempts to establish a measure of how much concern a vulnerability warrants, compared to other vulnerabilities, so efforts can be prioritized. The score is based on a series of measurements (called metrics) based on expert assessment.
Contents
Metrics
The CVSS assessment measures three areas of concern:
- Base Metrics for qualities intrinsic to a vulnerability.
- Temporal Metrics for characteristics that evolve over the lifetime of vulnerability.
- Environmental Metrics for characteristics of a vulnerability that depend on a particular implementation or environment.
Base Metrics
- Is the vulnerability exploitable remotely (as opposed to only locally).
- How complex must an attack be to exploit the vulnerability?
- Is authentication required to attack?
- Does the vulnerability expose confidential data?
- Can attacking the vulnerability damage the integrity of the system?
- Does it impact availability of the system?
Temporal Metrics
- How complex (or how long will it take) to exploit the vulnerability.
- How hard (or how long) will it take to remediate the vulnerability.
- How certain is the vulnerability's existence.
Environmental Metrics
- Potential to cause collateral damage.
- How many systems (or how much of a system) does the vulnerability impact.
- Security Requirement(CIA)
See also
External links
- the Forum of Incident Response Teams FIRST CVSS site
- National Vulnerability Database NVD CVSS site
- Security-Database online CVSS 2.0 calculator
- A list of early adopters
- All software/hardware vulnerabilities are CVSS scored and can be viewed at the NVD site
- Security-Database vulnerabilities dashboard scored with CVSS and other Open Standards CVE, CPE, CWE, CAPEC, OVAL
Categories:- Computer security
- Computer network security
Wikimedia Foundation. 2010.