DevSecOps in Practice

Common Vulnerability Scoring System (CVSS)

The Common Vulnerability Scoring System (CVSS) is a standardized method used to measure the severity of security vulnerabilities. It was commissioned by the National Infrastructure Advisory Council (NIAC) and provides a score between 0.0 and 10.0. The higher the score, the more critical the vulnerability. In addition to the score, CVSS provides a detailed breakdown of the vulnerability's characteristics.

Currently, there are 4 major versions of CVSS:

• CVSS v1.0: The very first version, released in 2005.
• CVSS v2.0: Introduced in 2007, it improved on the first version.
• CVSS v3.x: The third version, released in 2015, is the most widely used today.
• CVSS v4.0: The latest version, released in 2023, further refines the scoring system.

ℹ️ CVSSv3 is probably the most used revision, designed to address issues seen in v2. Some criticisms of v3 include an increase in the severity of vulnerabilities (Cisco's study comparing CVSSv2 and CVSSv3 scores showed an increase in the average base score from 6.5 to 7.4 with CVSSv3). However, v3 is considered more accurate by a wide margin and provides a better representation of the risk associated with a vulnerability than v2.

Each version has its own scoring system, but the core concepts remain the same. In general, 3 main types of scores are calculated to determine the final score.

Base Score:

This score measures the intrinsic characteristics of the vulnerability. It includes the following metrics:

• Attack Vector (AV): How easy is it to exploit? (available options: Network (N), Adjacent (A), Local (L), Physical (P)).
• Attack Complexity (AC): Is exploitation simple or does it require specific conditions? (available options: Low (L), High (H)).
• Privileges Required (PR): Does the attacker need special access? (available options: None (N), Low (L), High (H)).
• User Interaction (UI): Does the attack need a user to take action? (available options: None (N), Required (R)).
• Scope (S): Does the vulnerability affect the entire system or just a component? (available options: Unchanged (U), Changed (C)).
• Confidentiality (C), Integrity (I), and Availability (A): The impact of the vulnerability on these three areas.
• Integrity (I): The impact of the vulnerability on the integrity of the system (available options: None (N), Low (L), High (H)).
• Availability (A): The impact of the vulnerability on the availability of the system (available options: None (N), Low (L), High (H)).

Temporal Score:

This score reflects how the risk changes over time. It includes the following metrics:

• Exploit Code Maturity (E): This metric gauges how likely a vulnerability is to be exploited by considering factors like the availability and sophistication of exploit code, which can evolve from theoretical proof-of-concept to automated, widespread attacks (available options: Not Defined (X), Unproven (U), Proof-of-Concept (P), Functional (F), High (H)).
• Remediation Level (RL): This metric measures the availability of a fix for the vulnerability, such as a patch or update (available options: Not Defined (X), Official Fix (O), Temporary Fix (T), Workaround (W), Unavailable (U)).
• Report Confidence (RC): This metric reflects the level of confidence in the existence of the vulnerability and the credibility of the source reporting it (available options: Not Defined (X), Unknown (U), Reasonable (R), Confirmed (C)).

Environmental Score:

This score adjusts the base score based on the organization's specific environment. Some of them are:

• Confidentiality Requirement (CR): This metric reflects the importance of confidentiality to the organization (available options: Not Defined (X), Low (L), Medium (M), High (H)).
• Integrity Requirement (IR): This metric reflects the importance of integrity to the organization (available options: Not Defined (X), Low (L), Medium (M), High (H)).
• Availability Requirement (AR): This metric reflects the importance of availability to the organization (available options: Not Defined (X), Low (L), Medium (M), High (H)).
• Modified Attack Vector (MAV): This metric reflects the context of the attack vector in the organization's environment (available options: Not Defined (X), Network (N), Adjacent Network (A), Local (L), Physical (P)).
• And many more...

Based on the above categories, the CVSS score takes into account multiple factors like the attack vector, attack complexity, privileges required, user interaction, and the impact on confidentiality, integrity, and availability. The score is then categorized into severity levels like None, Low, Medium, High, and Critical.

The equation for calculating the CVSS score is complex and has multiple steps varying based on the version of CVSS used. The exact formula can be found in the CVSS documentation and often involves multiple metrics and calculations to arrive at the final score, but it mainly involves the following steps:

• Base Score: Combine the intrinsic Impact and Exploitability scores (with a slight multiplier if the scope is changed) and round up.
• Temporal Score: Adjust the Base Score by multiplying it with factors that reflect the evolving state of exploitability and remediation.
• Environmental Score: Further adjust the score by using modified metrics that account for the specific environment, again applying multipliers and rounding rules.

As a result, we have 3 outputs: the score, the severity level, and the vector string.

(1) - The score itself, which ranges from 0.0 to 10.0.

(2) - The severity level, which is one of the following: None, Low