Q

Vulnerability management: Benefits of a vulnerability scoring system

What are the pros and cons of using a universal vulnerability scoring system from a vendor? Nick Lewis explains.

When researching vulnerability management products recently, I learned that Tripwire has its own vulnerability scoring system. Is it common for a vendor to do this, and what are the pros and cons?

Vendors love to do things their way, and because the tool is their product, they can really do whatever they want, especially when it comes to using their own vulnerability scoring system, naming of vulnerabilities or risk ratings. When it comes to vulnerability management products, enterprises need to be able to efficiently use said tools and effectively manage risk in their computing environment. A vendor can, in theory, integrate its different products so that something named in one tool with a certain score shows up with the same name and score in other tools.

However, enterprises typically have multiple tools and use multiple sources of vulnerability, threat or other data to manage their risk -- including Microsoft System Center Configuration Manager, IBM BigFix, Red Hat Satellite, Tenable Network Security Nessus, Rapid7 Nexpose, QualysGuard, and more. Many times these tools do not use common names and may not even include Common Vulnerabilities and Exposure numbers or common vulnerability scoring system (CVSS) scores, making it very difficult for an enterprise to assess risks across the entire scope of its business.

To create a holistic view of information security risk and ensure integration between different tools (e.g., vulnerability management, configuration management, patch management, etc.), enterprises and the security industry as a whole should either adhere to CVSS or, as Tripwire suggested, another sort of standard risk scoring system. In an enterprise, this strategy would need to include local asset value and must provide actionable direction.

The Tripwire IP360 scoring system includes these asset values and provides actionable advice for enterprises that use its products. The company released its scoring system as open source for all to use and for other companies to incorporate into their own products.

A CVSSv3 workgroup is trying to address the shortcomings of the previous CVSS versions. CVSS is a free and open industry standard for assessing the severity of computer system security vulnerabilities. CVSSv3 aims to improve upon previous CVSS versions by improving actionability and addressing changes in technology.

If your enterprise has tools that use a custom scoring system or are capable of using CVSS or IP360, then you have the option to use whatever scoring system works best for your organization. Unfortunately, most companies don't have this flexibility. These enterprises should work with their vendors to attain it or consider such a vulnerability scoring system when evaluating new tools.

Ask the Expert!
Have a question about enterprise threats? Send it via email today! (All questions are anonymous.)

This was first published in August 2014

Dig deeper on Vulnerability Risk Assessment

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close