Federal flaw database commits to grading system
Robert Lemos, SecurityFocus 2005-12-02

A federal database of software vulnerabilities funded by the U.S. Department
of Homeland Security has decided on a common method of ranking flaw severity
and has assigned scores to the more than 13,000 vulnerabilities currently
contained in its database, the group announced this week.

The National Vulnerability Database, unveiled in August, completed its
conversion over to the Common Vulnerability Scoring System, a industry
initiative aimed at standardizing the severity rankings of flaws. The CVSS
gives vulnerabilities a base score based on their severity, a temporal score
that measures the current danger--which could be lessened by a widely
available patch, for example--and an environmental score that measures an
organization's reliance on the vulnerable systems.

"There does not exist or ever will exist a perfect technique for scoring
vulnerability impact," Mell said. "CVSS appears to work very effectively and
it was better than my current scoring system and so it made sense to adopt

The move to the Common Vulnerability Scoring System gives the flaw-ranking
initiative a major boost. Created by security researchers at networking
giant Cisco, vulnerability management software provider Qualys and security
company Symantec, the CVSS has not been used widely, though many companies
are considering scoring flaws with the system. (SecurityFocus is owned by

The grading of the previous vulnerabilities on the CVE list solves a problem
that hampered adoption of the Common Vulnerability Scoring System, said
Gerhard Eschelbeck, chief technology officer for Qualys and one of the
founding members of the CVSS team.

"With the introduction of CVSS as a standardized vulnerability scoring
system, the question appeared, how do we go back and score all the
historical vulnerabilities released?" he said. "It is very encouraging to
see NVD has taken on this big task, providing comprehensive CVSS scoring for
even historical vulnerabilities."

To date, no software vendor has yet graded vulnerabilities in its product
using the Common Vulnerability Scoring System. Microsoft, for example, has
its own severity-grading system and has considered but not committed to
supporting the CVSS. Microsoft's current scoring system--rating flaws as one
of four levels of severity--works well for its customers, said a
spokesperson for the software giant. The company did not rule out a future
move to the ranking system, however.

Some software makers worry that rating vulnerabilities could have some legal
implications. For example, if a company gave a flaw a low rating and then
that issue was used as an avenue for a costly attack, the firm could be held
liable for its severity ranking. Such worries have caused companies to take
their time debating the merits of adopting the Common Vulnerability Scoring
System, said Gavin Reid, team lead for the CVSS program at the Forum of
Incident Response and Security Teams (FIRST), which was chosen to host the
CVSS project.

"I think there is significant hurdles for people adopting the scoring
system," said Reid, who also works for Cisco, one of the companies that
supported the creation of the CVSS. "But once one or two of them start using
it, I think we will see a lot more adopting CVSS."

For that reason, the National Vulnerability Database's decision to use the
scoring system and the group's ranking of more than 13,000 previous
vulnerabilities has given CVSS a major boost, Reid said.

The NVD is managed by National Institute of Standards and Technology (NIST)
but funded through the Department of Homeland Security. The group's staff
adds 16 new vulnerabilities to the the database each day, up from 8 per day
in August, and keeps a variety of current statistics, including a measure of
the workload that the release of such flaws has on network administrators.

The National Vulnerability Database (NVD) is an initiative funded by the
U.S. Department of Homeland Security to boost the preparedness of the
nation's Internet and computer infrastructure, as called for by the Bush
Administration's National Strategy to Secure Cyberspace. Other DHS
initiatives, such as the US Computer Emergency Readiness Team (US-CERT),
release some information on serious vulnerabilities, but do not try to
create a complete collection of critical and non-critical flaws.

The NVD piggybacks on the Common Vulnerability and Exposures (CVE) to do
just that. The CVE, a listing of serious vulnerabilities maintained by the
Mitre Corporation, expands on the Internet Catalog (ICAT)--a previous NIST
project--that archived the vulnerabilities defined by the Common
Vulnerability and Exposures list.

The NVD team scored the vulnerabilities using an automated process. The CVE
database only had about 80 percent of the information needed to give an
exact score, Mell said, so the group has generated the scores based on the
information at hand and labeled each one "approximate."

The CVE definitions are one of the standards that the National Vulnerability
Database depends on. The database also uses the Open Vulnerability and
Assessment Language (OVAL) to describe the security issues in a standard
language, NIST's Mell said.

"The reason we chose CVSS as opposed to another scoring system was that we
believe in standards," Mell said. "If everyone uses a different scoring
system, then the effectiveness of each scoring system is limited."

Currently, the database gets nearly 1.5 million hits a month from the
private sector as well as government and academic users, Mell said. The
group also provides a calculator for companies to generate an environmental
score based on the vulnerable systems and the company's use of those

You are a subscribed member of the infowarrior list. Visit 
www.infowarrior.org for list information or to unsubscribe. This message 
may be redistributed freely in its entirety. Any and all copyrights 
appearing in list messages are maintained by their respective owners.

Reply via email to