Where's Microsoft on CVSS Support?
Cisco has joined Oracle and others supporting the Common Vulnerability Scoring Standard, but unless Microsoft joins the party, the flaw rating scheme will continue to flounder. |
Without much fanfare, Cisco added CVSS scores to this security alert for high-risk flaws in its Clean Access software.
Cisco has always been a strong CVSS advocate, but this is the first time the "base" and "temporal" scores have been included in a Cisco flaw warning.
With Oracle also on board, it seems that the fledging framework is finally gaining some steam, but the absence of the big dog Microsoft will always mean there's more bark than bite for CVSS.
I've been following the vendor-neutral initiative closely since 2005, when it was first introduced at the RSA conference; I've always gotten a vibe from the CVSS evangelists that Microsoft's adoption will be the scale-tipper.
Microsoft was actually listed as a CVSS supporter at the 2005 launch, but the company insists that customers are happy with the severity ratings now used in the Patch Tuesday bulletins.
But no one at Redmond can explain exactly why it won't support CVSS, even alongside its own system. It can't hurt, can it?
Comments (3)
Why would Microsoft want to use someone else's standards? It would expose the true vulnerability of their operating systems and enable people to make direct and indisputable comparisons between products. No more obscurity and ways to hide.
With Vista, Microsoft has a tremendous opportunity to demonstrate its "Secure Computing Initiative" by using the standard rating system. If Vista is as secure as Microsoft claims, they should be jumping to show by every means at their disposal the evidence of this security. Microsoft is actually doing itself a severe disfavor by sticking to its old system and hiding behind an obscure vulnerability rating system; they are undermining their own claims.
Posted by Blair Christensen | January 8, 2007 12:44 PM
As a security consultant and one who actually adopted the CVSS scoring methodology, I have come to a very important conclusion in regards to this scoring standard. Its flawed.
CVSS in the end doesn't provide real value to any of the clients. Don't get me wrong. Its great for researchers due its granularity. But because of this level of detail, the client has to constantly interpret the reasons for the score on any given vulnerability.
Does vulnerability A with a score of 5 but with a likelihood of 1 but with a large target base, more or less important then vulnerability B with the same score, but with a greater chance of exploit, with a low environmental score? Try to explain this 100 plus times to the client!
In the scheme of things, the CVSS scoring system is too specialized and too vague to be of any real use to the customer.
Posted by Robert Vance | January 26, 2007 12:07 PM
I agree and disagree with Robert. I agree that it is specialized, but the lack of real use to the customer is more a function of the software that uses it. The challenge that Robert is experiencing is exposing the raw data directly to the user instead of a intuitative interface. The CVSS is very informative and can allow very fine filtering of vulernabilities to show the keep items of concern to a firm. Each firm's security needs are different, even within a firm. Thus filtering CVE vulernabilities against XCCDF for each machine becomes a logical and priority driven approach to prompt addressing of issues.
Posted by Ken Lassesen | March 29, 2007 8:42 PM