- How to use electrical outlets and cheap lasers to steal data
- The botnet world is booming
- NTIA seeks volunteers to review broadband applications
- The 10 dumbest mistakes network managers make
- What's driving this university to IPv6? Going green
Leading IT companies including Cisco, Microsoft and Symantec are promoting a rating system that will standardize the measurement of the severity of software vulnerabilities.
A plan for the new system, called the Common Vulnerability Scoring System (CVSS), was unveiled at the RSA Conference in San Francisco on Thursday. If widely adopted, the new system will provide a common language for describing the seriousness of computer security vulnerabilities and replace different, vendor-specific rating systems, according to a presentation on the system by Mike Schiffman, a researcher at Cisco.
The new scoring system is part of a project by the National Infrastructure Advisory Council to create a global framework for disclosing information about security vulnerabilities. Representatives from across government and industry contributed to the new CVSS proposal, including eBay, Qualys, Internet Security Systems Inc. and Mitre.
NIAC is part of the U.S. Department of Homeland Security and is concerned with the security of information systems that support critical infrastructure for areas such as banking, finance, transportation, energy and manufacturing.
CVSS will use standard mathematical equations to calculate the severity of new vulnerabilities based on basic information such as whether a vulnerability can be remotely exploited, or whether an attacker must log in to a vulnerable system before being able to take advantage of a security hole, said Gerhard Eschelbeck of Qualys.
CVSS ratings will also consider timing issues, such as whether an exploit or a software patch for a specific vulnerability is available, and how long it has been available, he said.
The new rating system will be akin to the Common Vulnerabilities and Exposures (CVE) database that is maintained by Mitre and provides standard identifiers and information about software holes. As with CVE, vendors will most likely use CVSS ratings as a common base of reference, but continue to offer their own analysis or threat assessments, Eschelbeck said.
IT security vendors will use the CVSS in their products to evaluate and prioritize software vulnerabilities. Vendors will also be asked to provide ways for customers to enter information about their IT environment, such as the number and type of systems affected, before calculating a final CVSS rating, he said.
Rss FeedRss Feed
The Leader in Network Knowledge
Comment