Bringing law to the security jungle

A plan to make it easier for companies to determine how hard they could be hit by security flaws is ready for prime time, according to its backers.

The Common Vulnerability Scoring System plan calls for a unified approach to rating vulnerabilities in software, to replace the proprietary methods many technology companies and security vendors use when determining the impact of a flaw.

"We want to bring order to the chaos," said Mike Caudill, chairman of the Forum of Incident Response and Security Teams (FIRST) which is pushing for adoption of the new Common Vulnerability Scoring System (CVSS). "The ultimate goal is to have a system that will help the user appropriately react to a vulnerability."

CVSS was developed under the auspices of the National Infrastructure Advisory Council, which advises US President Bush about the security of information systems for critical infrastructure. FIRST, a worldwide consortium of security incident response teams such as the United States Computer Emergency Readiness Center, coordinates further CVSS development.

On Monday, FIRST plans to announce a push for wide-scale adoption of CVSS. Backers believe the rating system is ready to move into more general use after being a work-in-progress for the past year and a half. It was released publicly in late February, when a group of about 30 companies started testing it.

"Now is the time to move to the next phase of deploying CVSS and getting additional vendors on board," Gerhard Eschelbeck, one of the designers of the rating scheme and chief technology officer at vulnerability management company Qualys, said Friday.

CVSS goes beyond today's severity ratings, such as the familiar "critical" and "important" found in security bulletins from Microsoft. The new scoring system, which uses numbers between 1 and 10, enables organizations to calculate the specific risk to their own environment by adding information related to their IT systems. This could help them prioritise patches.

In addition to letting companies add their own environmental metric to the risk equation, CVSS also takes into account factors such as the availability of attack code and security patches, which can have an impact on the risk posed by a vulnerability. Current rating schemes typically are limited only to certain aspects of the vulnerability — for example, whether an attacker could remotely compromise a system and how easily a flaw can be exploited.

Risk assessment
If CVSS is widely adopted, an enterprise risk manager or security professional could use the system to determine which flaws need fixing first, Caudill said.

"It would allow an organisation to compare vulnerabilities from multiple vendors, on multiple platforms and potentially affecting different parts of an organization, and have a common metric for assessing the risk," he said.

FIRST is calling on the software industry to include CVSS scores in its security advisories, said Caudill, who is also a member of Cisco's product security incident response team. "It gets everybody on the same page," he said. Cisco already provides CVSS scores on its MySDN security site but not in its own advisories, Caudill said.

Several security vendors — including Symantec, ISS and Qualys — support CVSS and will adopt it in their own products, representatives of the companies said.

"We're strong supporters of having open standards in this area," said Vincent Weafer, a senior director at Symantec Security Response. "Prior to this, each vendor had their own standards on scoring vulnerabilities, which makes it very confusing for enterprises making critical decisions on which patches to deploy first."

Qualys' Eschelbeck agreed. "Users are looking to CVSS-type scoring, so we can take away a burden from them," he said.

>Microsoft's stance
However, Microsoft is sticking to its own rating scheme, Kevin Kean, director of Microsoft's security response centre, said in a statement provided by representatives of the software giant.

"We recognise that some vendors and security organizations within the industry utilize varying severity rating systems which do serve practical purposes for their objectives. Our customers have told us that the severity rating system we implemented in 2002 is valuable in helping them assess their level of risk and utilise the resources we've made available to them to help protect their systems," Kean said.

Still, if customers start requesting that Microsoft adopt CVSS, it will, Kean said.

With Microsoft giving CVSS the cold shoulder, it could be a while for the system to be broadly adopted, said John Pescatore, a vice-president at researcher Gartner.

"Since Microsoft is pretty much the largest source of vulnerabilities on desktop PCs, if they don't use CVSS, it will slow down others," Pescatore said. "I think security service and tool vendors will start to use it sooner."

While there is some benefit in CVSS, Pescatore thinks its role in helping IT managers decide which patches to apply first is being overstated. "No scoring system will do that," he said. "But having a standard rating methodology used by most vendors will be a good thing for IT."

If users see value in the new scoring system, they can put pressure on software companies to start using it, Pescatore said. "If a few large product vendors, like Cisco, start to use it, I think that by 2007, Microsoft would start hearing from its customers that they want Microsoft to use it," he said.