September 16, 2005 5:25 PM PDT

Plan lets users be the judge of flaws

A plan to make it easier for companies to determine how hard they could be hit by security flaws is ready for prime time, according to its backers.

The Common Vulnerability Scoring System plan calls for a unified approach to rating vulnerabilities in software, to replace the proprietary methods many technology companies and security vendors use when determining the impact of a flaw.

"We want to bring order to the chaos," said Mike Caudill, chairman of the Forum of Incident Response and Security Teams, or FIRST, which is pushing for adoption of the new Common Vulnerability Scoring System. "The ultimate goal is to have a system that will help the user appropriately react to a vulnerability."

The Common Vulnerability Scoring System, or CVSS, was developed under the auspices of the National Infrastructure Advisory Council, which advises President Bush about the security of information systems for critical infrastructure. FIRST, a worldwide consortium of security incident response teams such as the United States Computer Emergency Readiness Center, coordinates further CVSS development.

On Monday, FIRST plans to announce a push for wide-scale adoption of CVSS. Backers believe the rating system is ready to move into more general use after being a work-in-progress for the past year and a half. It was released publicly in late February, when a group of about 30 companies started testing it.

"Now is the time to move to the next phase of deploying CVSS and getting additional vendors on board," Gerhard Eschelbeck, one of the designers of the rating scheme and chief technology officer at vulnerability management company Qualys, said Friday.

CVSS goes beyond today's severity ratings, such as the familiar "critical" and "important" found in security bulletins from Microsoft. The new scoring system, which uses numbers between 1 and 10, enables organizations to calculate the specific risk to their own environment by adding information related to their IT systems. This could help them prioritize patches.

In addition to letting companies add their own environmental metric to the risk equation, CVSS also takes into account factors such as the availability of attack code and security patches, which can have an impact on the risk posed by a vulnerability. Current rating schemes typically are limited only to certain aspects of the vulnerability--for example, whether an attacker could remotely compromise a system and how easily a flaw can be exploited.

Risk assessment
If CVSS is widely adopted, an enterprise risk manager or security professional could use the system to determine which flaws need fixing first, Caudill said.

"It would allow an organization to compare vulnerabilities from multiple vendors, on multiple platforms and potentially affecting different parts of an organization, and have a common metric for assessing the risk," he said.

FIRST is calling on the software industry to include CVSS scores in its security advisories, said Caudill, who is also a member of Cisco Systems' product security incident response team. "It gets everybody on the same page," he said. Cisco already provides CVSS scores on its MySDN security site but not in its own advisories, Caudill said.

Several security vendors--including Symantec, Internet Security Systems and Qualys--support CVSS and will adopt it in their own products, representatives of the companies said.

"We're strong supporters of having open standards in this area," said Vincent Weafer, a senior director at Symantec Security Response. "Prior to this, each vendor had their own standards on scoring vulnerabilities, which makes it very confusing for enterprises making critical decisions on which patches to deploy first."

Qualys' Eschelbeck agreed. "Users are looking to CVSS-type scoring, so we can take away a burden from them," he said.

Microsoft's stance
However, Microsoft is sticking to its own rating scheme, Kevin Kean, director of Microsoft's security response center, said in a statement provided by representatives of the software giant.

"We recognize that some vendors and security organizations within the industry utilize varying severity rating systems which do serve practical purposes for their objectives. Our customers have told us that the severity rating system we implemented in 2002 is valuable in helping them assess their level of risk and utilize the resources we've made available to them to help protect their systems," Kean said.

Still, if customers start requesting that Microsoft adopt CVSS, it will, Kean said.

With Microsoft giving CVSS the cold shoulder, it could be a while for the system to be broadly adopted, said John Pescatore, a vice president at researcher Gartner.

"Since Microsoft is pretty much the largest source of vulnerabilities on desktop PCs, if they don't use CVSS, it will slow down others," Pescatore said. "I think security service and tool vendors will start to use it sooner."

While there is some benefit in CVSS, Pescatore thinks its role in helping IT managers decide which patches to apply first is being overstated. "No scoring system will do that," he said. "But having a standard rating methodology used by most vendors will be a good thing for IT."

If users see value in the new scoring system, they can put pressure on software companies to start using it, Pescatore said. "If a few large product vendors, like Cisco, start to use it, I think that by 2007, Microsoft would start hearing from its customers that they want Microsoft to use it," he said.


Join the conversation!
Add your comment
I doubt this will stop security firms from trying to grab Cnet headlines.
While I welcome a "real-world" system for rating vulnerabilities, there's a cottage industry in "revealing" vulnerabilities (then offering services to prevent them).

I don't expect this to stem the tide of press releases that Cnet prints all too gladly.
Posted by M C (598 comments )
Reply Link Flag
Your Headline in the Sand?
Yeah, those pesky MS based worms that attacked major media
organizations last month were much ado about nothing. C|Net had
no business calling our attention to yet another MS defect. I mean,
who asked them anyway? I sure it will all be alright. Right? Just ask
the IT "Pros" who neglected to patch for it. We can trust them.

C|Net Chicken Littles. (Sarcasm set to stun.)
Posted by cjohn17 (268 comments )
Link Flag
On The Right Track
There is a serious need to implement this technology of a common, global, patch assesment service. One website to go to for IT personnel, is the key to maintaining safer and secure software.

Microsoft's lack of adoption to this scheme is nothing new to anybody. Microsoft bucks at anything that that doesn't put them in the spotlight.

Most software updates from vendors happen because of a critical update or patch that's released by Microsoft.

Unfortunately, for the IT community, this has an adverse affect on the way patches and security updates are handled by other software vendors.

Therefore leaving the consumer to deal with the end result, a proverbial house with it's window's open 24/7. In laymens terms: Your just waiting to get robbed.

My advice to all that create software for computers is this:

Be proactive in the adoption of this service and start offering society a sense of security that is brought from the knowledge gained.

You know, kinda like having service by ADT. As long as they're around to monitor your house, you'll be protected.

The real deal, end result of this operation, is a move in the right direction for everybody that uses a computer.

Posted by OneWithTech (196 comments )
Reply Link Flag
Don't Trust the IT Departments
I don't MS based IT departments can ever be trusted to do the right
thing. My experience is that they rarely believe there's a problem
until it shuts down systems. Their benign neglect is comical.

But they sure love endless meetings that never solve anything.
Posted by cjohn17 (268 comments )
Reply Link Flag

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.