When researching vulnerability management products recently, I learned that Tripwire has its own vulnerability...
scoring system. Is it common for a vendor to do this, and what are the pros and cons?
Vendors love to do things their way, and because the tool is their product, they can really do whatever they want, especially when it comes to using their own vulnerability scoring system, naming of vulnerabilities or risk ratings. When it comes to vulnerability management products, enterprises need to be able to efficiently use said tools and effectively manage risk in their computing environment. A vendor can, in theory, integrate its different products so that something named in one tool with a certain score shows up with the same name and score in other tools.
However, enterprises typically have multiple tools and use multiple sources of vulnerability, threat or other data to manage their risk -- including Microsoft System Center Configuration Manager, IBM BigFix, Red Hat Satellite, Tenable Network Security Nessus, Rapid7 Nexpose, QualysGuard, and more. Many times these tools do not use common names and may not even include Common Vulnerabilities and Exposure numbers or common vulnerability scoring system (CVSS) scores, making it very difficult for an enterprise to assess risks across the entire scope of its business.
To create a holistic view of information security risk and ensure integration between different tools (e.g., vulnerability management, configuration management, patch management, etc.), enterprises and the security industry as a whole should either adhere to CVSS or, as Tripwire suggested, another sort of standard risk scoring system. In an enterprise, this strategy would need to include local asset value and must provide actionable direction.
The Tripwire IP360 scoring system includes these asset values and provides actionable advice for enterprises that use its products. The company released its scoring system as open source for all to use and for other companies to incorporate into their own products.
A CVSSv3 workgroup is trying to address the shortcomings of the previous CVSS versions. CVSS is a free and open industry standard for assessing the severity of computer system security vulnerabilities. CVSSv3 aims to improve upon previous CVSS versions by improving actionability and addressing changes in technology.
If your enterprise has tools that use a custom scoring system or are capable of using CVSS or IP360, then you have the option to use whatever scoring system works best for your organization. Unfortunately, most companies don't have this flexibility. These enterprises should work with their vendors to attain it or consider such a vulnerability scoring system when evaluating new tools.
Ask the Expert!
Have a question about enterprise threats? Send it via email today! (All questions are anonymous.)
Dig Deeper on Risk assessments, metrics and frameworks
Related Q&A from Nick Lewis
Cloud penetration testing presents new challenges for information security teams. Here's how a playbook from the Cloud Security Alliance can help ... Continue Reading
Many cloud providers are tight-lipped about internal security control details. Learn how to evaluate cloud security providers with certifications and... Continue Reading
Enterprises new to the cloud can write new security policies from scratch, but others with broad cloud usage may need an update. Consider these ... Continue Reading