In general, large numbers of disclosed vulnerabilities create significant challenges for IT security administrators who have deployed the affected products. Not all vulnerabilities are equal, however, and an analysis of vulnerability severity can help IT professionals understand and prioritize the nature and severity of the threats they face from newly disclosed vulnerabilities.
The Common Vulnerability Scoring System (CVSS) is a standardized, platform-independent scoring system for rating IT vulnerabilities, developed by a coalition of security professionals from around the world representing the commercial, non-commercial, and academic sectors. Currently in its second version, the system assigns a numeric value between 0 and 10 to vulnerabilities according to severity, with higher scores representing greater severity. For an explanation of the CVSS scoring methodology, see the CVSS guide.
Focusing on mitigating the most severe vulnerabilities first is a security best practice. Although CVSS, through the National Vulnerability Database (NVD), provides a base score across the set of industry vulnerabilities, security professionals should look first to their software vendors for further security information because they are the people who understand their software best. However, not all vendors provide their own assessment of severity or even provide security advisories for vulnerabilities. (The NVD is the U.S. government repository of standards-based vulnerability management data represented using the Security Content Automation Protocol (SCAP). CVE and CVSS are both components of SCAP.)
The large number of High severity vulnerabilities disclosed in the report underscores the importance of looking beyond the simpler groupings of Low, Medium, and High to leverage the CVSS score behind the rating label, in addition to other information that is available.
Was the information in this article helpful?