Redazione RHC : 27 July 2025 09:53
How are software security vulnerabilities assessed? Is it possible to determine their severity? How can we determine the order in which to update code in the event of multiple vulnerabilities?
These are just some of the questions you should ask yourself when managing the security of a computer system. One possible solution involves an organization called FIRST (Forum of Incident Response and Security Teams) and a tool known by the acronym CVSS, or Common Vulnerability Scoring System, now in version 4.0.
The history of CVSS dates back to 2005, when, after about two years of study and research, the National Infrastructure Advisory Council, an advisory body to the President of the United States of America, launched version 1.0. This was followed by version 2.0 in 2007 and 3.0 in 2015. The current version, version 4.0, was released on October 21, 2023.
CVSS is a very useful technical standard, but like all things, it doesn’t solve every problem. For example, it doesn’t provide a measure of the likelihood of a vulnerability being exploited by an attacker, because it isn’t determined exclusively by technical factors.
CVSS consists of assigning a score between 0 and 10 to each identified vulnerability; the score indicates the severity. of the vulnerability, which is greater the higher the score.
The score is assigned by evaluating 30 different factors, which for convenience and consistency are grouped into four categories: Base, Threat, Environmental, and Supplemental, which are abbreviated as B, T, E, and S. Therefore, when we talk about CVSS-B, we mean the CVSS value calculated using only the Base metrics, and this is the case in most cases.
The Base category (or metric) in turn contains two other metrics: Exploitability and Impact. Exploitability includes those metrics that evaluate the requirements for successfully exploiting the vulnerability. Impact, on the other hand, includes metrics useful for measuring the impact of the vulnerability in question on the CIA (Confidentiality, Integrity, Availability) triad.
As mentioned, in addition to the Base metrics, there are three other categories:
Naturally, CVSS 4.0 has many other interesting features that the more curious can find in this study by Davide Ariu: About the Common Vulnerability Scoring System (CVSS) 4.0
Trying to calculate the value starting from a known vulnerability is relatively simple using the appropriate online calculator, also provided by FIRST. Experimenting allows you to truly appreciate the level of detail provided by CVSS and understand how much the actual value depends on the specifics of the organization being considered.
With what has been said so far, we have only partially answered the first of the initial questions: how to assess software security vulnerabilities. To try to answer the other two questions, we need to consider the IT infrastructure in question, the environment, and the associated risks. These considerations are therefore case-specific and cannot be generalized.
Often, during the vulnerability analysis of a corporate IT system, dozens or hundreds of vulnerabilities emerge, some known, most unknown to the security team. Assessing the risk associated with each individual vulnerability and prioritizing their resolution is a difficult task.
It should also be considered that this process is often fragmented and performed manually, as it is not always possible to have all the data available and visible with a single tool, nor is it easy to consolidate it into a single container for analysis. A final, but not least, issue concerns their visualization, which often involves the creation of graphs that are not immediately legible.
There are also several practical problems related to vulnerability identification and mitigation. In some environments, it is not possible to launch automatic programs to scan systems, requiring manual searches on individual devices. Corporate systems are not always up to date and do not always support the changes needed to mitigate known vulnerabilities. In some cases, the functionality (read: operability) of the system could even be compromised, which is generally undesirable. Ultimately, it is necessary to find the right balance between security and operability.
At this point, it is important to note that there are also methods for vulnerability management based on the specific risk faced by a given company or organization. This approach takes into account information relating to the vulnerability of the affected party.
To answer these new questions, we need to consider a new acronym: CVE, which stands for “Common Vulnerabilities and Exposures.” CVE is simply a list of known vulnerabilities and is published by MITRE.
MITRE also maintains an updated list of CVE Numbering Authorities (CNAs), which are organizations authorized to assign a number to a vulnerability and publish it according to a well-defined procedure. These CNAs are generally software vendors and security researchers, but anyone can request to assign a number to a new vulnerability. Each CVE consists of an identifier number, a brief description, and references to the vulnerability reports.
The list, in its current version, includes 233,151 different items.
If you thought the hardest part was over, think again!
We haven’t even attempted to answer perhaps the most important question yet: how to determine the order in which to update code in the event of a vulnerability. Multiple?
Prioritizing vulnerabilities requires a thorough understanding of the organization and assigning a risk value based on the impact on the company’s core business. Ultimately, vulnerabilities with a higher risk rating should generally have a higher priority.
In this article, we’ve seen some important concepts that correspond to the acronyms CVSS and CVE, as well as some security management processes, such as vulnerability management, including risk-specific vulnerability management.
My goal was to demonstrate the complexity of these concepts and the operations to be performed by the IT security team responsible for managing an organization’s security.
I hope I’ve been able to help. successful.
Redazione