SlideShare a Scribd company logo
1 of 15
{metæffekt} Universal CVSS Calculator
Exploring Context, Need and Function
Anti-Trust Policy Notice
● Linux Foundation meetings involve participation by industry competitors, and it is the
intention of the Linux Foundation to conduct all of its activities in accordance with
applicable antitrust and competition laws. It is therefore extremely important that
attendees adhere to meeting agendas, and be aware of, and not participate in, any
activities that are prohibited under applicable US state, federal or foreign antitrust and
competition laws.
● Examples of types of actions that are prohibited at Linux Foundation meetings and in
connection with Linux Foundation activities are described in the Linux Foundation
Antitrust Policy available at http://www.linuxfoundation.org/antitrust-policy. If you have
questions about these matters, please contact your company counsel, or if you are a
member of the Linux Foundation, feel free to contact Andrew Updegrove of the firm of
Gesmer Updegrove LLP, which provides legal counsel to the Linux Foundation.
Currently used
in NVD
CVSS What?
● CVSS = Common Vulnerability Scoring System
● Specification by first.org: https://www.first.org/cvss/
○ CVSS v1.0 was provided around 2005
○ CVSS v2.0 launched in 2007
○ CVSS v3.0 released 2015
○ CVSS v3.1 minor update in 2019
○ CVSS v4.0 released November 2023
Principles of CVSS (v3.1)
Source: https://www.first.org/cvss/v3.1/specification-document
While FIRST owns all right and interest in CVSS, it licenses it to the public freely for use, subject to the conditions below. Membership
in FIRST is not required to use or implement CVSS. FIRST does, however, require that any individual or entity using CVSS give proper
attribution, where applicable, that CVSS is owned by FIRST and used by permission. Further, FIRST requires as a condition of use that
any individual or entity which publishes scores conforms to the guidelines described in this document and provides both the score
and the scoring vector so others can understand how the score was derived.
Principles of CVSS (here version 3.1)
Source: https://www.first.org/cvss/v3.1/specification-document
While FIRST owns all right and interest in CVSS, it licenses it to the public freely for use, subject to the conditions below. Membership
in FIRST is not required to use or implement CVSS. FIRST does, however, require that any individual or entity using CVSS give proper
attribution, where applicable, that CVSS is owned by FIRST and used by permission. Further, FIRST requires as a condition of use that
any individual or entity which publishes scores conforms to the guidelines described in this document and provides both the score
and the scoring vector so others can understand how the score was derived.
Why is this useful?
Up-to-Date Knowledge
Operational Context
/ Deployment
Initial CVSS
Vector
Vulnerable
Software
Vulnerable
Software
Initial CVSS
Vector
Temporal
Information
Vulnerable
Software
Initial CVSS
Vector
Temporal
Information
Environmental
Information
Initial CVSS
Vector
Initial CVSS
Vector
Temporal
Information
Environmental
Information
Initial Score Context Score
The Context Score is a
contextualized rescoring of
the vulnerability…
It represents the severity in
the given specific context!
Why is this useful?
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
10.0 CRITICAL
CVSS:3.1/E:H/RL:U/RC:C
CVSS:3.1/MAV:A/MAC:L/MPR:L
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
9.1 CRITICAL
Existing “official” CVSS Calculators
• https://www.first.org/cvss/calculator/4.0
• https://www.first.org/cvss/calculator/3.1
• https://www.first.org/cvss/calculator/3.0
• https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
• https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator
Issues / Limits of “official” CVSS Calculators
• Only one CVSS vector of specific version at a time.
• No qualitative comparison of score metrics.
• Linking to calcluators with CVSS vector as parameter not supporting all cases.
Different situations require different calcluators.
• Different usage patterns and visualization.
• NIST and First non-responsive regarding online calculator issues and support.
• Extraction of modification vector not a directly supported use case.
 Insufficent, when contextualization is a fundamental discipline during vulnerability assessment.
One online CVSS Calculator to rule them all ;)
https://metaeffekt.com/security/cvss/calculator
Why the fuzz?
• Dealing with many
vulnerabilites.
• Automated initial pre-
assessment / adjustment.
• Embrace CVSS rescoring als
core concept.
• Focus on priorities.
• Overcome simple
vulnerability listing. Assess!
• Monitor!
Process Results /
Compliance Artifacts
Alignment with
OpenChain
What else?
Vulnerability
Monitoring /
Assessment
(contract/SLA-driven)
Vulnerability
Reporting
(contract/SLA-driven)
Software
Annex
(compliance-driven)
Hardware /
Software
Asset
Asset Inventory / SBOM
“component record”
“customer agreement”
Hardware /
Software
Asset
Hardware /
Software
Asset
Yet more?
• Vulnerability assessment requires guidance beyond the CVSS specification / ISO/IEC 18974:2023:
We currently outline and apply an incremental risk-driven approach with 8 increments / practices.
• Starting is hard…
• Creating qualified, comprehensive SBOM
• Defining Scope of Assessment / Availability of Data
• Context Elaboration
• Imprecise Contractual Obligations
• Vulnerability Correlation / Heterogenous Vulnerability Data Source / Philosophies
• Getting control over significant numbers of identified vulnerabilities
• Customer Liaison / Communication
ISO/IEC 18974:2023 is a very good starting point!
Thank you!
Contact:
Karsten Klein
{metæffekt} GmbH
Renettenweg 16
69124 Heidelberg
Germany
Appreciating your attention…
@
karsten.klein metaeffekt.com
Please Note:
● The OpenChain Project Meeting and Presentation Template contains the
OpenChain trademark and can only be used for matters related to
OpenChain Project activities. This template also contains The Linux
Foundation trademarked logo. The Linux Foundation trademark policy can
be found here:
https://www.linuxfoundation.org/legal/trademark-usage
● If you want to use the OpenChain trademark for commercial activities
please join the OpenChain Partner Program:
https://www.openchainproject.org/partners

More Related Content

Similar to OpenChain Webinar: Universal CVSS Calculator

Acunetix Training and ScanAssist
Acunetix Training and ScanAssistAcunetix Training and ScanAssist
Acunetix Training and ScanAssist
Bryan Ferrario
 
2.Public Vulnerability Databases
2.Public Vulnerability Databases2.Public Vulnerability Databases
2.Public Vulnerability Databases
phanleson
 

Similar to OpenChain Webinar: Universal CVSS Calculator (20)

Acunetix Training and ScanAssist
Acunetix Training and ScanAssistAcunetix Training and ScanAssist
Acunetix Training and ScanAssist
 
Open source software license
Open source software licenseOpen source software license
Open source software license
 
SAS 70 in a Post-Sarbanes, SaaS World: Quest Session 52070
SAS 70 in a Post-Sarbanes, SaaS World: Quest Session 52070SAS 70 in a Post-Sarbanes, SaaS World: Quest Session 52070
SAS 70 in a Post-Sarbanes, SaaS World: Quest Session 52070
 
OWASP Secure Coding Quick Reference Guide
OWASP Secure Coding Quick Reference GuideOWASP Secure Coding Quick Reference Guide
OWASP Secure Coding Quick Reference Guide
 
Tools & Techniques for Addressing Component Vulnerabilities for PCI Compliance
Tools & Techniques for Addressing Component Vulnerabilities for PCI ComplianceTools & Techniques for Addressing Component Vulnerabilities for PCI Compliance
Tools & Techniques for Addressing Component Vulnerabilities for PCI Compliance
 
Re-Platforming Legacy .Net Applications to PCF Using Modernized Techniques
Re-Platforming Legacy .Net Applications to PCF Using Modernized Techniques Re-Platforming Legacy .Net Applications to PCF Using Modernized Techniques
Re-Platforming Legacy .Net Applications to PCF Using Modernized Techniques
 
Continuous Integration and Deployment on Rational Development and Test Enviro...
Continuous Integration and Deployment on Rational Development and Test Enviro...Continuous Integration and Deployment on Rational Development and Test Enviro...
Continuous Integration and Deployment on Rational Development and Test Enviro...
 
Settle the Score
Settle the ScoreSettle the Score
Settle the Score
 
What is a Deployment Tool and How Can it Help Me?
What is a Deployment Tool and How Can it Help Me?What is a Deployment Tool and How Can it Help Me?
What is a Deployment Tool and How Can it Help Me?
 
The Case for Continuous Open Source Management
The Case for Continuous Open Source ManagementThe Case for Continuous Open Source Management
The Case for Continuous Open Source Management
 
Continuous Integration and Continuous Delivery on Azure
Continuous Integration and Continuous Delivery on AzureContinuous Integration and Continuous Delivery on Azure
Continuous Integration and Continuous Delivery on Azure
 
OSSJP/ALS19: The Road to Safety Certification: How the Xen Project is Making...
 OSSJP/ALS19: The Road to Safety Certification: How the Xen Project is Making... OSSJP/ALS19: The Road to Safety Certification: How the Xen Project is Making...
OSSJP/ALS19: The Road to Safety Certification: How the Xen Project is Making...
 
OpenChain Webinar #11 - cii-bp-badge-intro
OpenChain Webinar #11 - cii-bp-badge-introOpenChain Webinar #11 - cii-bp-badge-intro
OpenChain Webinar #11 - cii-bp-badge-intro
 
Explore the Implicit Requirements of the NERC CIP RSAWs
Explore the Implicit Requirements of the NERC CIP RSAWsExplore the Implicit Requirements of the NERC CIP RSAWs
Explore the Implicit Requirements of the NERC CIP RSAWs
 
MultiValue Gets SaaS-y
MultiValue Gets SaaS-yMultiValue Gets SaaS-y
MultiValue Gets SaaS-y
 
From catalogues to models: transitioning from existing requirements technique...
From catalogues to models: transitioning from existing requirements technique...From catalogues to models: transitioning from existing requirements technique...
From catalogues to models: transitioning from existing requirements technique...
 
2.Public Vulnerability Databases
2.Public Vulnerability Databases2.Public Vulnerability Databases
2.Public Vulnerability Databases
 
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
 
Giving Everyone Access To Open Source Best Practices: The OpenChain Curriculum
Giving Everyone Access To Open Source Best Practices: The OpenChain CurriculumGiving Everyone Access To Open Source Best Practices: The OpenChain Curriculum
Giving Everyone Access To Open Source Best Practices: The OpenChain Curriculum
 
Chapter 2.pptx
Chapter 2.pptxChapter 2.pptx
Chapter 2.pptx
 

More from Shane Coughlan

More from Shane Coughlan (20)

OpenChain @ LF Japan Executive Briefing - May 2024
OpenChain @ LF Japan Executive Briefing - May 2024OpenChain @ LF Japan Executive Briefing - May 2024
OpenChain @ LF Japan Executive Briefing - May 2024
 
OpenChain Webinar: AboutCode and Beyond - End-to-End SCA
OpenChain Webinar: AboutCode and Beyond - End-to-End SCAOpenChain Webinar: AboutCode and Beyond - End-to-End SCA
OpenChain Webinar: AboutCode and Beyond - End-to-End SCA
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
 
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full RecordingOpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
 
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full RecordingOpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
 
OpenChain Monthly Meeting North America and Asia - 2024-03-19
OpenChain Monthly Meeting North America and Asia - 2024-03-19OpenChain Monthly Meeting North America and Asia - 2024-03-19
OpenChain Monthly Meeting North America and Asia - 2024-03-19
 
openEuler Community Overview - a presentation showing the current scale
openEuler Community Overview - a presentation showing the current scaleopenEuler Community Overview - a presentation showing the current scale
openEuler Community Overview - a presentation showing the current scale
 
OpenChain AI Study Group - North America and Europe - 2024-02-20
OpenChain AI Study Group - North America and Europe - 2024-02-20OpenChain AI Study Group - North America and Europe - 2024-02-20
OpenChain AI Study Group - North America and Europe - 2024-02-20
 
AI Study Group North America - Europe 2024-02-06
AI Study Group North America - Europe 2024-02-06AI Study Group North America - Europe 2024-02-06
AI Study Group North America - Europe 2024-02-06
 
OpenChain Monthly North America / Europe Call - 2024-02-06
OpenChain Monthly North America / Europe Call - 2024-02-06OpenChain Monthly North America / Europe Call - 2024-02-06
OpenChain Monthly North America / Europe Call - 2024-02-06
 
OpenChain Export Control Work Group 2024-01-09
OpenChain Export Control Work Group 2024-01-09OpenChain Export Control Work Group 2024-01-09
OpenChain Export Control Work Group 2024-01-09
 
OpenChain Legal Work Group - 2024-01-17
OpenChain Legal Work Group -  2024-01-17OpenChain Legal Work Group -  2024-01-17
OpenChain Legal Work Group - 2024-01-17
 
Openchain AI Study Group 2024-01-23.pptx
Openchain AI Study Group 2024-01-23.pptxOpenchain AI Study Group 2024-01-23.pptx
Openchain AI Study Group 2024-01-23.pptx
 
OpenChain Webinar #58 - FOSS License Management through aliens4friends in Ecl...
OpenChain Webinar #58 - FOSS License Management through aliens4friends in Ecl...OpenChain Webinar #58 - FOSS License Management through aliens4friends in Ecl...
OpenChain Webinar #58 - FOSS License Management through aliens4friends in Ecl...
 
Maturity Models - Open Compliance Summit 2023
Maturity Models - Open Compliance Summit 2023Maturity Models - Open Compliance Summit 2023
Maturity Models - Open Compliance Summit 2023
 
OpenChain Annual Report 2023 - Key Metrics Slides
OpenChain Annual Report 2023 - Key Metrics SlidesOpenChain Annual Report 2023 - Key Metrics Slides
OpenChain Annual Report 2023 - Key Metrics Slides
 
OpenChain Webinar 57 - The Open Source Initiative - 2023-11-27
OpenChain Webinar 57 - The Open Source Initiative - 2023-11-27OpenChain Webinar 57 - The Open Source Initiative - 2023-11-27
OpenChain Webinar 57 - The Open Source Initiative - 2023-11-27
 
FOSSLight Community Day 2023-11-30
FOSSLight Community Day 2023-11-30FOSSLight Community Day 2023-11-30
FOSSLight Community Day 2023-11-30
 
OpenChain Webinar #56: Generative AI and Your Code
OpenChain Webinar #56: Generative AI and Your CodeOpenChain Webinar #56: Generative AI and Your Code
OpenChain Webinar #56: Generative AI and Your Code
 
From One Standard to a Family - Taiwan Work Group - 2023-08-15.pptx
From One Standard to a Family - Taiwan Work Group - 2023-08-15.pptxFrom One Standard to a Family - Taiwan Work Group - 2023-08-15.pptx
From One Standard to a Family - Taiwan Work Group - 2023-08-15.pptx
 

Recently uploaded

Recently uploaded (20)

From Theory to Practice: Utilizing SpiraPlan's REST API
From Theory to Practice: Utilizing SpiraPlan's REST APIFrom Theory to Practice: Utilizing SpiraPlan's REST API
From Theory to Practice: Utilizing SpiraPlan's REST API
 
Optimizing Operations by Aligning Resources with Strategic Objectives Using O...
Optimizing Operations by Aligning Resources with Strategic Objectives Using O...Optimizing Operations by Aligning Resources with Strategic Objectives Using O...
Optimizing Operations by Aligning Resources with Strategic Objectives Using O...
 
Software Engineering - Introduction + Process Models + Requirements Engineering
Software Engineering - Introduction + Process Models + Requirements EngineeringSoftware Engineering - Introduction + Process Models + Requirements Engineering
Software Engineering - Introduction + Process Models + Requirements Engineering
 
Abortion Clinic In Pretoria ](+27832195400*)[ 🏥 Safe Abortion Pills in Pretor...
Abortion Clinic In Pretoria ](+27832195400*)[ 🏥 Safe Abortion Pills in Pretor...Abortion Clinic In Pretoria ](+27832195400*)[ 🏥 Safe Abortion Pills in Pretor...
Abortion Clinic In Pretoria ](+27832195400*)[ 🏥 Safe Abortion Pills in Pretor...
 
Weeding your micro service landscape.pdf
Weeding your micro service landscape.pdfWeeding your micro service landscape.pdf
Weeding your micro service landscape.pdf
 
Abortion Clinic In Polokwane ](+27832195400*)[ 🏥 Safe Abortion Pills in Polok...
Abortion Clinic In Polokwane ](+27832195400*)[ 🏥 Safe Abortion Pills in Polok...Abortion Clinic In Polokwane ](+27832195400*)[ 🏥 Safe Abortion Pills in Polok...
Abortion Clinic In Polokwane ](+27832195400*)[ 🏥 Safe Abortion Pills in Polok...
 
Effective Strategies for Wix's Scaling challenges - GeeCon
Effective Strategies for Wix's Scaling challenges - GeeConEffective Strategies for Wix's Scaling challenges - GeeCon
Effective Strategies for Wix's Scaling challenges - GeeCon
 
What is a Recruitment Management Software?
What is a Recruitment Management Software?What is a Recruitment Management Software?
What is a Recruitment Management Software?
 
Community is Just as Important as Code by Andrea Goulet
Community is Just as Important as Code by Andrea GouletCommunity is Just as Important as Code by Andrea Goulet
Community is Just as Important as Code by Andrea Goulet
 
Test Automation Design Patterns_ A Comprehensive Guide.pdf
Test Automation Design Patterns_ A Comprehensive Guide.pdfTest Automation Design Patterns_ A Comprehensive Guide.pdf
Test Automation Design Patterns_ A Comprehensive Guide.pdf
 
UNI DI NAPOLI FEDERICO II - Il ruolo dei grafi nell'AI Conversazionale Ibrida
UNI DI NAPOLI FEDERICO II - Il ruolo dei grafi nell'AI Conversazionale IbridaUNI DI NAPOLI FEDERICO II - Il ruolo dei grafi nell'AI Conversazionale Ibrida
UNI DI NAPOLI FEDERICO II - Il ruolo dei grafi nell'AI Conversazionale Ibrida
 
Workshop - Architecting Innovative Graph Applications- GraphSummit Milan
Workshop -  Architecting Innovative Graph Applications- GraphSummit MilanWorkshop -  Architecting Innovative Graph Applications- GraphSummit Milan
Workshop - Architecting Innovative Graph Applications- GraphSummit Milan
 
Navigation in flutter – how to add stack, tab, and drawer navigators to your ...
Navigation in flutter – how to add stack, tab, and drawer navigators to your ...Navigation in flutter – how to add stack, tab, and drawer navigators to your ...
Navigation in flutter – how to add stack, tab, and drawer navigators to your ...
 
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
 
GraphSummit Milan - Visione e roadmap del prodotto Neo4j
GraphSummit Milan - Visione e roadmap del prodotto Neo4jGraphSummit Milan - Visione e roadmap del prodotto Neo4j
GraphSummit Milan - Visione e roadmap del prodotto Neo4j
 
Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-Cloud
Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-CloudAlluxio Monthly Webinar | Simplify Data Access for AI in Multi-Cloud
Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-Cloud
 
Microsoft365_Dev_Security_2024_05_16.pdf
Microsoft365_Dev_Security_2024_05_16.pdfMicrosoft365_Dev_Security_2024_05_16.pdf
Microsoft365_Dev_Security_2024_05_16.pdf
 
Prompt Engineering - an Art, a Science, or your next Job Title?
Prompt Engineering - an Art, a Science, or your next Job Title?Prompt Engineering - an Art, a Science, or your next Job Title?
Prompt Engineering - an Art, a Science, or your next Job Title?
 
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit MilanWorkshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
 
A Deep Dive into Secure Product Development Frameworks.pdf
A Deep Dive into Secure Product Development Frameworks.pdfA Deep Dive into Secure Product Development Frameworks.pdf
A Deep Dive into Secure Product Development Frameworks.pdf
 

OpenChain Webinar: Universal CVSS Calculator

  • 1. {metæffekt} Universal CVSS Calculator Exploring Context, Need and Function
  • 2. Anti-Trust Policy Notice ● Linux Foundation meetings involve participation by industry competitors, and it is the intention of the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws. ● Examples of types of actions that are prohibited at Linux Foundation meetings and in connection with Linux Foundation activities are described in the Linux Foundation Antitrust Policy available at http://www.linuxfoundation.org/antitrust-policy. If you have questions about these matters, please contact your company counsel, or if you are a member of the Linux Foundation, feel free to contact Andrew Updegrove of the firm of Gesmer Updegrove LLP, which provides legal counsel to the Linux Foundation.
  • 3. Currently used in NVD CVSS What? ● CVSS = Common Vulnerability Scoring System ● Specification by first.org: https://www.first.org/cvss/ ○ CVSS v1.0 was provided around 2005 ○ CVSS v2.0 launched in 2007 ○ CVSS v3.0 released 2015 ○ CVSS v3.1 minor update in 2019 ○ CVSS v4.0 released November 2023
  • 4. Principles of CVSS (v3.1) Source: https://www.first.org/cvss/v3.1/specification-document While FIRST owns all right and interest in CVSS, it licenses it to the public freely for use, subject to the conditions below. Membership in FIRST is not required to use or implement CVSS. FIRST does, however, require that any individual or entity using CVSS give proper attribution, where applicable, that CVSS is owned by FIRST and used by permission. Further, FIRST requires as a condition of use that any individual or entity which publishes scores conforms to the guidelines described in this document and provides both the score and the scoring vector so others can understand how the score was derived.
  • 5. Principles of CVSS (here version 3.1) Source: https://www.first.org/cvss/v3.1/specification-document While FIRST owns all right and interest in CVSS, it licenses it to the public freely for use, subject to the conditions below. Membership in FIRST is not required to use or implement CVSS. FIRST does, however, require that any individual or entity using CVSS give proper attribution, where applicable, that CVSS is owned by FIRST and used by permission. Further, FIRST requires as a condition of use that any individual or entity which publishes scores conforms to the guidelines described in this document and provides both the score and the scoring vector so others can understand how the score was derived.
  • 6. Why is this useful? Up-to-Date Knowledge Operational Context / Deployment Initial CVSS Vector Vulnerable Software Vulnerable Software Initial CVSS Vector Temporal Information Vulnerable Software Initial CVSS Vector Temporal Information Environmental Information
  • 7. Initial CVSS Vector Initial CVSS Vector Temporal Information Environmental Information Initial Score Context Score The Context Score is a contextualized rescoring of the vulnerability… It represents the severity in the given specific context! Why is this useful? CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H 10.0 CRITICAL CVSS:3.1/E:H/RL:U/RC:C CVSS:3.1/MAV:A/MAC:L/MPR:L CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H 9.1 CRITICAL
  • 8. Existing “official” CVSS Calculators • https://www.first.org/cvss/calculator/4.0 • https://www.first.org/cvss/calculator/3.1 • https://www.first.org/cvss/calculator/3.0 • https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator • https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator
  • 9. Issues / Limits of “official” CVSS Calculators • Only one CVSS vector of specific version at a time. • No qualitative comparison of score metrics. • Linking to calcluators with CVSS vector as parameter not supporting all cases. Different situations require different calcluators. • Different usage patterns and visualization. • NIST and First non-responsive regarding online calculator issues and support. • Extraction of modification vector not a directly supported use case.  Insufficent, when contextualization is a fundamental discipline during vulnerability assessment.
  • 10. One online CVSS Calculator to rule them all ;) https://metaeffekt.com/security/cvss/calculator
  • 11. Why the fuzz? • Dealing with many vulnerabilites. • Automated initial pre- assessment / adjustment. • Embrace CVSS rescoring als core concept. • Focus on priorities. • Overcome simple vulnerability listing. Assess! • Monitor!
  • 12. Process Results / Compliance Artifacts Alignment with OpenChain What else? Vulnerability Monitoring / Assessment (contract/SLA-driven) Vulnerability Reporting (contract/SLA-driven) Software Annex (compliance-driven) Hardware / Software Asset Asset Inventory / SBOM “component record” “customer agreement” Hardware / Software Asset Hardware / Software Asset
  • 13. Yet more? • Vulnerability assessment requires guidance beyond the CVSS specification / ISO/IEC 18974:2023: We currently outline and apply an incremental risk-driven approach with 8 increments / practices. • Starting is hard… • Creating qualified, comprehensive SBOM • Defining Scope of Assessment / Availability of Data • Context Elaboration • Imprecise Contractual Obligations • Vulnerability Correlation / Heterogenous Vulnerability Data Source / Philosophies • Getting control over significant numbers of identified vulnerabilities • Customer Liaison / Communication ISO/IEC 18974:2023 is a very good starting point!
  • 14. Thank you! Contact: Karsten Klein {metæffekt} GmbH Renettenweg 16 69124 Heidelberg Germany Appreciating your attention… @ karsten.klein metaeffekt.com
  • 15. Please Note: ● The OpenChain Project Meeting and Presentation Template contains the OpenChain trademark and can only be used for matters related to OpenChain Project activities. This template also contains The Linux Foundation trademarked logo. The Linux Foundation trademark policy can be found here: https://www.linuxfoundation.org/legal/trademark-usage ● If you want to use the OpenChain trademark for commercial activities please join the OpenChain Partner Program: https://www.openchainproject.org/partners

Editor's Notes

  1. To verify 4.0 is not yet in use by NVD query the latest entries: https://nvd.nist.gov/vuln/search/results?isCpeNameSearch=false&query=2024&results_type=overview&form_type=Basic&search_type=all&startIndex=0
  2. Demo Outline: Start with loaded examples to explain overall structure Start with a new and empty CVSS v3.1 vector Fill base Clone Adjust Compare Show Log4Shell Query from NVD Remove 2.0 vector Clone 3.1 vector Adjust Compare Dice a 4.0 Vector and show factors
  3. Examples to show: Example dashboard HTTPD/OpenSSL Dashboard Windows 11 Dashboard Keycloak Dashboard
  4. Show Example Annex Show Example Report