Now a day’s companies are using mobile applications to create an awareness and recognition of their brand to their customers and targeted market. At the same time large and growing number of cyber-attacks has become a bigger concern for companies. Exploitation of vulnerabilities by attackers may lead to legal battles, financial losses, and reputational damage. To avoid such circumstances, companies should have a vulnerability management program in place and judging the severity of a vulnerability is a significant process in the program to improve the overall efficiency of the program. A widely accepted method used by information security specialists for this process is Common Vulnerability Scoring System (CVSS).
What is Software Vulnerability?
Any issue in code that can be exploited by attackers can be considered as a software vulnerability. It consists of vulnerabilities injected by malicious changes or bugs to code. Normally vulnerability injections are executed with code injection or malware. By exploiting vulnerabilities attackers gets opportunity to infiltrate systems, steal sensitive data and abuse resources. This makes vulnerability identification and assessment crucial for development and testing teams prior to any software release.
Some of the frequently exploited vulnerabilities are SQL Injection, OS Command Injection, Buffer Overflow, and Integer Overflow
What is Common Vulnerability Scoring System (CVSS)?
Historically, there were no published standards for calculating the score of a vulnerability. Scoring was done based on software vendor’s own methods. This created a lot of ambiguity for security specialists. It was difficult for them to understand which vulnerability needs to be fixed in priority, a vulnerability with a severity “high” or rating of 5.
US National Infrastructure Assurance Council (NIAC) developed a CVSS in 2005 to simplify the generation of a consistent score that can precisely show the severity and impact of a vulnerability in a specific IT environment. Now International Forum for Incident Response and Security Teams (FIRST) owns and manages CVSS.
CVSS is a published standard used to capture prime characteristics of a vulnerability. It generates a numerical score that reflects severity of the vulnerability. Then the numerical score will be converted to a qualitative representation. Those representations are Low, Medium, High or Critical. It can assist organizations assess and prioritize their vulnerabilities. CVSS brought transparency to individual characteristics and methodology used to derive a score.
CVSS has gone through many revisions since then and we have three versions of CVSS till date.
CVSS Versions
CVSS V1
Released in 2005 by NIAP and the objective of V1 was to design a published standard for the severity rating of IT system vulnerabilities.
CVSS V2
This was an improved version of CVSS V1 and was released in 2007. In V2 inconsistencies were reduced and more granularity was provided. Even though many types of vulnerabilities were there V2 was able to reflect right properties of it.
CVSS V3
V3 was a refined version of CVSS V2 and released in 2015. V3 offered more advanced features. Some of them are coverage for privileges needed to exploit vulnerabilities and opportunities of an attacker to tap into the system after vulnerability exploitation, etc.
Latest version of CVSS V3 was released in June 2019 i.e., CVSS V3.1.
CVSS Metrices
CVSS is formed from 3 metric groups and they are,
Base Metrics shows severity of a vulnerability based on its constant intrinsic characteristics. A realistic worst-case impact across diverse deployed environments is presumed.
Temporal Metrics will adjust the Base severity based on dynamic factors, say exploit code availability.
Environmental Metrics further adjust the Base as well as Temporal severities for a specific computing environment. Factors such as occurrence of mitigations in that environment will be considered.
Base Scores are often generated by an organization owning a vulnerable product, or a third party scoring on behalf of them. Base Metrics is static and remain same for all environments. To produce a severity more accurate for the organizations environment Base Score will be supplemented with Temporal and Environmental Scores that are specific to their use of the vulnerable product. Then the CVSS information is provided as an input to organization’s vulnerability management process that considers factors that are not part of CVSS. It will rank the threats specific to their technology infrastructure and helps in remediation decisions. Those additional factors are outside the scope of CVSS and may include customer count of a product line, threat to property or life, financial losses due to the breach, or public sentiment on highly exposed vulnerabilities.
How CVSS Scoring Works?
A CVSS scoring ranges between 0.0 and 10.0 (10.0 rated as the most severe). These CVSS scores are mapped to five qualitative ratings for less technical stakeholders, and they are,
0.0 = None
0.1-3.9 = Low
4.0-6.9 = Medium
7.0-8.9 = High
9.0 – 10.0 = Critical
Base and Temporal scores are calculated and provided by an analyst or vendor. Base score is a mandatory score however Temporal score is optional. End user calculates Environmental Group score and is optional. For CVSS based vulnerability categorization, completion of Base score components, Exploitability sub scores, Impact sub scores and Scope sub scores are required. Using a formula that weights each of these sub scores, an overall base score is calculated. Base score will be multiplied by the three metrics within the Temporal metric to calculate the Temporal score. Environment score calculation is more complex with five metrics being used to recompute the Base and Temporal scores. This complex calculation gives more accurate evaluation of the severity of a vulnerability considering the context of the way the vulnerable component is deployed.
What motivates organizations to adopt CVSS?
CVSS makes life of security teams easier. It helps them gauge the impact of vulnerabilities on target systems and prioritize vulnerabilities for mitigation. CVSS supports organizations to meet their security standard requirements. For e.g., having un-patched vulnerabilities with a CVSS score of 4.0 or higher has an adverse impact on PCI compliance. CVSS scores can be used by software developer to prioritize their security tests to ensure known serious vulnerabilities are mitigated during development itself.
CVSS Calculators
CVSS scores that are available in public are Base scores only. Even though Base score shows the severity of a vulnerability, we cannot understand whether the vulnerability poses a risk to your IT environment. A CVSS calculator can be used to calculate Temporal and Environmental scores for a specific environment. FIRST provides free CVSS calculators for each version of CVSS.
Mobile Application Vulnerability Assessment
Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST) and API Security Testing (APIT) are the best ways to ensure that your mobile application is secure. There are CVSS based SAST, DAST and APIT vulnerability assessment testing tools that covers most of the publicly identified vulnerabilities. These VA tools can find and eliminate security vulnerabilities and software defects in early stage of your mobile application development. It helps to ensure that your software is secure, reliable, and compliant.
Short Comings of CVSS
CVSS scoring is a vital tool for organization for information exchange. However, it is being used for more than it was initially intended. Often see that some organizations are using CVSS scores to scan for vulnerabilities and prioritize their remediation efforts. CVSS scoring must not be used as Risk Management tool due to some of its shortcomings.
· CVSS score cannot measure actual risk: CVSS score shows technical exploitability. Technical exploitability is different from active exploitation. Sometimes high scored vulnerabilities may not be exploited by attackers.
· Application environment is not in scope: While scoring, CVSS doesn’t consider context for assessing the criticality of vulnerabilities. This can leave an organization exposed.
· Threat intelligence is important: Vulnerability Management should consider various threat intelligence sources, rather than trusting any one metric
In short, Cybersecurity team should find vigorous tools that could assess their IT environment and complexities of real world rather than solely depending on CVSS scores.
Final Thoughts
CVSS scoring is conceived as a De facto standard for information exchange about vulnerabilities among industry stakeholders. It considers a range of criteria attack complexity, access vector, impact and authentication requirements among other standards. By following CVSS based Vulnerability management program security teams can squander their resources on patch cycle that has focus on low impact, low probability issues and efficiently prioritize technically severe vulnerabilities that don’t cause biggest threat to the organization environment.