Current state of practice
Vulnerability management covers “the discovery, analysis, and handling of new or reported security vulnerabilities in information systems [and] the detection of and response to known vulnerabilities in order to prevent them from being exploited” 1. Prioritization of organizational and analyst resources is an important precursor to vulnerability analysis, handling, and response. The general problem is: given limited resources, which vulnerabilities should be processed and which can be ignored for now. We approach this problem from a pragmatic, practitioner-centered perspective.
The de facto standard prioritization language is CVSS 2. CVSS avoids discussing decisions and, instead, takes technical severity as its fundamental operating principle. However, the standard does not provide clear advice about how CVSS scores might inform decisions 3. SSVC instead considers technical severity as one decision point in vulnerability management. Severity should only be a part of vulnerability response prioritization 4. Vulnerability managers make decisions at a particular time in a specific context. CVSS base scores are static; we will make SSVC from modular parts that are easier to compose in each manager's temporal and operational context.
Any re-adaptation of the basic CVSS mindset inherits its deeper issues. For example, arguments for the CVSS scoring algorithm have not been transparent and the standardization group has not justified the use of the formula either formally or empirically 5. One complaint is that a high CVSS score does not predict which vulnerabilities will be commonly exploited or have exploits publicly released 6. Studies of consistency in CVSS scoring indicate that analysts do not consistently interpret the elements of a CVSS version 3.0 score 7. Because many adaptations of CVSS simply add additional metrics, we expect they will inherit such inconsistency. Analyst usability has so far been an afterthought, but we know from other areas of information security that usability is not well-served as an afterthought 8. SSVC aims to learn from and improve upon these issues.
Surveys of security metrics 9 and information sharing in cybersecurity 10 do not indicate any major efforts to conduct a wholesale rethinking of vulnerability prioritization. The surveys indicate some options a prioritization method might consider, such as exploit availability or system attack surface. Representing Information for Decisions About Vulnerabilities describes our design goals for a pragmatic prioritization methodology that can improve and build on the state of current practice.
The target audience for SSVC is vulnerability managers of any kind. SSVC assumes that the vulnerability manager has identified that there is a vulnerability. We take our definition of vulnerability from 11: “a set of conditions or behaviors that allows the violation of an explicit or implicit security policy.” A variety of problems or issues with computer systems are important but are not vulnerabilities. SSVC presents a risk prioritization method that might be useful or at least allied to other risk management methods for these other kinds of issues. However, for this work we focus on decisions in the situation where there is a vulnerability and the vulnerability management team wants to decide what to do about it.
-
Vilius Benetis, Olivier Caleff, Cristine Hoepers, Angela Horneman, Allen Householder, Klaus-Peter Kossakowski, Art Manion, Amanda Mullens, Samuel Perl, Daniel Roethlisberger, Sigitas Rokas, Mary Rossell, Robin M. Ruefle, D'esir'ee Sacher, Krassimir T. Tzvetanov, and Mark Zajicek. Computer security incident response team (CSIRT) services framework. Technical Report ver. 2, FIRST, Cary, NC, USA, 2019. ↩
-
Jonathan M Spring. Review of human decision-making during computer security incident analysis. Digital Threats: Research and Practice, April 2021. URL: https://doi.org/10.1145/3427787, doi:10.1145/3427787. ↩
-
Common vulnerability scoring system SIG. URL: https://www.first.org/cvss/ (visited on 2019-03-01). ↩
-
Katheryn A Farris, Ankit Shah, George Cybenko, Rajesh Ganesan, and Sushil Jajodia. Vulcon: a system for vulnerability prioritization, mitigation, and management. Transactions on Privacy and Security, 21(4):16, 2018. ↩
-
Jonathan M Spring, Eric Hatleback, Allen D Householder, Art Manion, and Deana Shick. Towards improving CVSS. Technical Report, Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA, 2018. ↩
-
Luca Allodi and Fabio Massacci. A preliminary analysis of vulnerability scores for attacks in wild: the ekits and sym datasets. In Workshop on Building analysis datasets and gathering experience returns for security, 17–24. ACM, 2012. ↩
-
Luca Allodi, Marco Cremonini, Fabio Massacci, and Woohyun Shim. The effect of security education and expertise on security assessments: the case of software vulnerabilities. In Workshop on Economics of Information Security. Innsbruck, Austria, 2018. ↩
-
Simson Garfinkel and Heather Richter Lipford. Usable security: history, themes, and challenges. Synthesis Lectures on Information Security, Privacy, and Trust, 5(2):1–124, 2014. ↩
-
Marcus Pendleton, Richard Garcia-Lebron, Jin-Hee Cho, and Shouhuai Xu. A survey on systems security metrics. ACM Comput. Surv., 49(4):62:1–62:35, 2016. ↩
-
Stefan Laube and Rainer Böhme. Strategic aspects of cyber risk information sharing. ACM Comput. Surv., November 2017. URL: https://doi.org/10.1145/3124398. ↩
-
Allen D Householder, Garret Wassermann, Art Manion, and Christopher King. The CERT® guide to coordinated vulnerability disclosure. Technical Report CMU/SEI-2017-TR-022, Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA, 2020. URL: https://vuls.cert.org/confluence/display/CVD/Executive+Summary. ↩