Module 3 Unit9 summary post
Summary
Module3 unit9 summary post
Despite the wide of adoption of CVSS by many organizations, Spring et al (2021) argue that the current version is not adequate enough to be used as a method for risk assessment.
The authors summarized their arguments highlighting that the CVSS formula is not clear or justified. In addition to that, the documentation for CVSS lacks transparency about how the formula was derived. Moreover, they argue that CVSS can identify the severity of the vulnerability from a technical perspective, however CVSS does not provide the whole view like accounting for environmental and temporal scores which provide context and consequences.
The arguments presented by Spring et al (2021) are valid and supported by other academic references. For instance, Tan et al (2019) argue that CVSS grading method ignores the risk elevation that is caused by a group of vulnerabilities and low accuracy of exploitable level evaluation. Moreover, CVSS base scores only show the severity of a vulnerability. However, it does not take into consideration the risk that severity brings to the environment or provide an accurate cyber-risk score. In this context, it is impossible to prioritize vulnerability fix in an effective manner. (fortinet,2024)
Spring et al (2021) argue that the scoring formula should be redone along with empirical justification and suggested that this new algorithm should provide the needed risk elements of context and material consequences. Moreover, the authors express concerns about the practicality of CVSS and propose Stakeholder-Specific Vulnerability Categorization (SSVC) as a solution. SSVC, unlike CVSS, emphasizes community contribution through an open GitHub repository to better understand the diverse needs of users.
Tan et al (2019) presented a new vulnerability quantitative grading approach called ICVSS. ICVSS may evaluate indexes of exploitable metrics, add vulnerability types to investigate attack paths utilizing continuity levels determined by privilege, and quantify influence using the Analytic Hierarchy Process (AHP). Of exploitable level vulnerability kind. It has been demonstrated that ICVSS, as opposed to CVSS and WIVSS, is more accurate and stable in identifying attack paths that comprise a series of vulnerabilities for assessing network security situations.
While these criticisms highlight valid concerns about CVSS, it’s important to note that CVSS also has its strengths and has been continuously updated to address some of these criticisms. For example, newer versions of CVSS have attempted to simplify the scoring process and provide more guidance for users. Additionally, CVSS is just one tool in the larger ecosystem of vulnerability management, and it should be used alongside other risk assessment techniques to provide a more comprehensive picture of cybersecurity risk.
References
-Fortinet (2024). What Is Common Vulnerability Scoring System (CVSS). Available from: https://www.fortinet.com/it/resources/cyberglossary/common-vulnerability-scoring-system [Accessed 23 Feb. 2024]
-Spring, J., Hatleback, E., Householder, A., Manion, A. and Shick, D., (2021). Time to Change the CVSS?. IEEE Security & Privacy, 19(2), pp.74-78.
-Tan, T., Wang, B., Tang, Y., Zhou, X. and Han, J., (2019). ICVSS: A New Method for Vulnerability Quantitative Grading. Computers, Materials & Continua, 61(2).