When researching vulnerability management products recently, I learned that Tripwire has its own vulnerability...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
scoring system. Is it common for a vendor to do this, and what are the pros and cons?
Vendors love to do things their way, and because the tool is their product, they can really do whatever they want, especially when it comes to using their own vulnerability scoring system, naming of vulnerabilities or risk ratings. When it comes to vulnerability management products, enterprises need to be able to efficiently use said tools and effectively manage risk in their computing environment. A vendor can, in theory, integrate its different products so that something named in one tool with a certain score shows up with the same name and score in other tools.
However, enterprises typically have multiple tools and use multiple sources of vulnerability, threat or other data to manage their risk -- including Microsoft System Center Configuration Manager, IBM BigFix, Red Hat Satellite, Tenable Network Security Nessus, Rapid7 Nexpose, QualysGuard, and more. Many times these tools do not use common names and may not even include Common Vulnerabilities and Exposure numbers or common vulnerability scoring system (CVSS) scores, making it very difficult for an enterprise to assess risks across the entire scope of its business.
To create a holistic view of information security risk and ensure integration between different tools (e.g., vulnerability management, configuration management, patch management, etc.), enterprises and the security industry as a whole should either adhere to CVSS or, as Tripwire suggested, another sort of standard risk scoring system. In an enterprise, this strategy would need to include local asset value and must provide actionable direction.
The Tripwire IP360 scoring system includes these asset values and provides actionable advice for enterprises that use its products. The company released its scoring system as open source for all to use and for other companies to incorporate into their own products.
A CVSSv3 workgroup is trying to address the shortcomings of the previous CVSS versions. CVSS is a free and open industry standard for assessing the severity of computer system security vulnerabilities. CVSSv3 aims to improve upon previous CVSS versions by improving actionability and addressing changes in technology.
If your enterprise has tools that use a custom scoring system or are capable of using CVSS or IP360, then you have the option to use whatever scoring system works best for your organization. Unfortunately, most companies don't have this flexibility. These enterprises should work with their vendors to attain it or consider such a vulnerability scoring system when evaluating new tools.
Ask the Expert!
Have a question about enterprise threats? Send it via email today! (All questions are anonymous.)
Dig Deeper on Vulnerability Risk Assessment
Related Q&A from Nick Lewis
An HTTPS session with a reused nonce is vulnerable to the Forbidden attack. Expert Nick Lewis explains how the attack works, and how to properly ...continue reading
The Irongate malware has been discovered to have similar functionality to Stuxnet. Expert Nick Lewis explains how enterprises can protect their ICS ...continue reading
APT groups have been continuously exploiting a flaw in Microsoft Office, despite it having been patched. Expert Nick Lewis explains how these attacks...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.