CVSS in
Assuria Auditor
CVSS is a vulnerability scoring system designed to provide an
open and standardized method for rating IT vulnerabilities. CVSS helps
organizations prioritize and coordinate a joint response to security
vulnerabilities by communicating the base, temporal and environmental
properties of a vulnerability.
The Common Vulnerability Scoring System (CVSS) provides an open
framework for communicating the characteristics and impacts of IT
vulnerabilities. CVSS consists of 3 groups: Base, Temporal and
Environmental. Each group produces a numeric score ranging from 0 to 10, and
a Vector, a compressed textual representation that reflects the values used
to derive the score. The Base group represents the intrinsic qualities of a
vulnerability. The Temporal group reflects the characteristics of a
vulnerability that change over time. The Environmental group represents the
characteristics of a vulnerability that are unique to any user's
environment. CVSS enables IT managers, vulnerability bulletin providers,
security vendors, application vendors and researchers to all benefit by
adopting this common language of scoring IT vulnerabilities. A Guide
to CVSS is available at
http://www.first.org/cvss/cvss-guide.html
FIRST sponsors and supports CVSS.
FIRST is the Forum of Incident Response and
Security Teams. FIRST brings together a wide variety of security and
incident response teams including especially product security teams from the
government, commercial, and academic sectors. FIRST hosts a special interest group to update and promote CVSS
and provides a central repository for CVSS documentation.
CVSS Score online. The NIST NVD site has all security
alerts CVSS scored and presented at
http://nvd.nist.gov/nvd.cfm.
NIST also have XML feeds that anyone can use
http://nvd.nist.gov/download.cfm#XML
For further information on CVSS v2, please see
http://www.first.org/cvss
and
http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2
Assuria Auditor and CVSS
In Assuria Auditor CVSS scores and vectors for checks can
be viewed in the Policy Navigators and all html based reports. Reports can
be ordered in different combinations of risk level and/or CVSS score.
A CVSS vector editor is provided as part of the Assuria Auditor
Console, to allow customers to set their own vectors (and hence scores)
for checks. The CVSS Vector Editor can be accessed from the
Maintenance menu -> CVSS.
Assuria Auditor reports
include CVSS data in the Summary section and detail section of reports.
CVSS Score online. The NIST NVD site has all security
alerts CVSS scored and presented at
http://nvd.nist.gov/nvd.cfm
NIST also have XML feeds that anyone can use
http://nvd.nist.gov/download.cfm#XML
Further information on CVSS is available at
http://www.first.org/cvss/
assuria auditor
