Common Vulnerability Scoring System v3Return to TOC presented at FIRST 2014

by Seth Hanford,


Summary : As Manager of the Cisco Threat Research Analysis and Communications (TRAC), Seth Hanford helps to guide some of the most experienced and knowledgeable threat researchers and analysts at Cisco – and in the industry. Their collaborative research and analysis work is intended not only to continually enhance the quality and efficacy of Cisco’s security products, but also, provide actionable intelligence that helps all Internet users defend against both known and emerging network threats. Hanford was an Incident Manager for the Cisco Product Security Incident Response Team (PSIRT) and a Security Analyst for Cisco IntelliShield, a threat and vulnerability alerting service, before becoming manager of the Cisco TRAC team. In the past decade, Hanford has analyzed and scored thousands of vulnerabilities across all manner of software products, using each of the released versions of CVSS.
He has served as Chair of the Common Vulnerability Scoring System (CVSS) Special Interest Group at FIRST since 2011. Prior to serving as Chair, Hanford was a contributing member of the CVSS v2 SIG.
The Common Vulnerability Scoring System assists incident responders through standard characteristic classification and severity scoring for software vulnerabilities. With the June 2014 release of CVSS version 3, FIRST has committed once again to improving the standard and assisting incident responders and CVSS score consumers to classify and prioritize the software vulnerabilities found in their environments.
This paper will address the needs of the security community, changes in the vulnerability landscape, shortcomings of CVSS v2, and the solutions designed into the most recent release of CVSS. Attendees will learn about the new metrics in CVSS v3, how to use them to score vulnerabilities, and how the approach to vulnerability scoring and assessment has changed since CVSS v2. We will cover assessing User Interaction, Privileges Required, vulnerability Scope, as well as assessing the impact of Mitigations in a particular environment, and show how to score some example vulnerabilities. In addition, we will announce the release of the finalized CVSS v3 specification.