[HN Gopher] A closer look at CVSS scores
___________________________________________________________________
A closer look at CVSS scores
Author : mrcsd
Score : 37 points
Date : 2022-06-20 17:28 UTC (5 hours ago)
(HTM) web link (theoryof.predictable.software)
(TXT) w3m dump (theoryof.predictable.software)
| andy_ppp wrote:
| I built a CVSS2 calculator amongst other things; I came to the
| conclusion that they are trying to turn an art (how problematic
| an issue is) into a pure science and they keep realising they
| need ever more parameters. I'm glad they have tried but would
| rather trust a pen tester to help me rank issues within my
| organisation than attempt to use a one size fits all formula that
| doesn't account for my specific situation perfectly.
| altharaz wrote:
| Very great article.
|
| At the moment IMHO the major issue comes from that people use
| only the Basic Score of the CVSS 3.1, issued by the NVD.
|
| Indeed, if you also take the Temporal Score (with CTI feeds for
| example), and if you add the Environmental Score, then you can
| have very good results to help prioritizing the vulnerabilities
| on your assets and reflect the real threat.
|
| I would also like, however, to see the CVSS4 with a "cost to
| patch" component: in OT environments, CISO like to use the SSVC
| because it's the easiest way to say "wait" instead of "patch
| now". But since SSVC is not really recognized by all auditors, it
| generates conflicts. Bringing a component in the CVSS to reflect
| the cost of remediation on very complex devices, where deploying
| a KB requires to stop a full factory, could help getting the same
| results (aka "don't patch now and wait") but with a more
| respected scoring system.
|
| From my perspective, that's the only missing component for a good
| CVSS system :).
| lmeyerov wrote:
| I'm curious how you'd account to factors like `npm audit` failing
| on probably most javascript repos out there on reasonably high
| CVSS settings due to including items like
| https://nvd.nist.gov/vuln/detail/CVE-2021-3807 ? And
| particularly, how to fix that, or Working As Intended?
| pornel wrote:
| The security vendors have an ass-covering policy of scoring
| _worst possible scenario_ , without any regard for how
| implausible it is.
|
| If you had a cupboard your basement storing a can of spray that
| had a "warning: flammable" sticker with a weak glue: the
| sticker could fall off, you could have used it without knowing
| it's flammable, which could lead you to setting your house on
| fire. Therefore the CVSS score of "weak sticker glue" is the
| same as your house being actively on fire.
| [deleted]
| jacques_chester wrote:
| I'm the author and would be happy to answer questions to the best
| of my ability.
| politelemon wrote:
| There's an immense amount of detail in that post, I'm still
| reading through it.
|
| Do you work in this field or did you research all this as a
| hobby, or both?
| jacques_chester wrote:
| Both. Currently I work in supply chain security with a focus
| on Ruby. I also spend a lot of time cooperating with others
| in OpenSSF working groups.
|
| I'd had in mind to write about CVSS for some time. I wrote a
| few paras and created the first plot, but that's as far as I
| got for about a year. One Saturday morning about 2 months ago
| I started thinking about it again and got the itch to finish
| it. It kept growing as I went because I kept finding more to
| write about.
|
| Edit: the original ambition for my site was more about
| applying what I have learned about statistics, psychology and
| economics to general software development and ops. But now
| that my dayjob is mostly thinking about security it has
| veered off in that direction instead (for the moment at
| least).
| politelemon wrote:
| Thanks for sharing, I always appreciate these insights into
| fields I often encounter but don't think about. I'll read
| through it that's a promise!
___________________________________________________________________
(page generated 2022-06-20 23:01 UTC)