What is OPSWAT Severity Score in our Vulnerability Scanning Technology?

What is Common Vulnerability Scoring System (CVSS) Score?

When talking about the impact of a vulnerability, we usually use t he Common Vulnerability Scoring System ( CVSS ), it is a free and open industry standard for assessing the severity of computer system security vulnerabilities . CVSS attempts to assign severity scores to vulnerabilities, allowing responders to prioritize responses and resources according to threat. Scores are calculated based on a formula that depends on several metrics that approximate ease of exploit and the impact of exploit. The first version of CVSS as known as CVSSv1 was first introduced in 2005, the second version was launched in 2007 and third version, CVSSv3, was released in 2015.

OPSWAT Severity Score

Although the latest version, CVSSv3 has improvements compared with previous versions, it still has limitations such as it is just a static score, does not take CVE lifecycle as an input. In real life, a CVE in 2015 should be less important than a CVE in 2017 which has the same base score. Also risk level is one of the important inputs, for example a CVE with high CVSS score but it does not exploit many systems should have less impact than another ones which exploit many systems. Realizing those limitations, OPSWAT comes up with a new score based on CVSS and analyzing big data, we called " OPSWAT Severity Score ". It's a dynamic score, range from 0 to 100, calculated based on four parameters as below diagra m.


images/download/attachments/29935550/Untitled_Diagram%282%29.png


  • CVSSv2/CVSSv3: still be a primary input

  • CVE Popularity: how active the given vulnerability

  • Compromised Risk rate: number of infected devices/total number of devices that we have seen this vulnerability exists in. T he data of risk level is coming from real life machine

  • CVE Lifecycle: how long the vulnerability has been reported

Let's look at two CVEs, CVE-2016-2052 (Chrome) and CVE-2016-2826 (Firefox), to see how OPSWAT Severity Score works. CVE-2016-2826 has 7.8 CVSSv3 score which is higher than 7.6 for CVE-2016-2052, however with our statistic data, we observe that people looked for CVE-2016-2052 over 510 times while only 480 times for CVE-2016-2826 in the same period, along with that, we also see the risk rate for CVE-2016-2052 is 5.7% and for CVE-2016-2826 is only 4.4% . With our algorithm, OPSWAT Severity Score for CVE-2016-2052 is 76 and for CVE-2016-2826 is 73 .

With the new score, we hope to provide better information to the user. Specifically, for IT administrator who needs to review a bunch of CVEs in organization everyday, it potentially reduces time because with OPSWAT scores, a lot of old or none important CVES will be filtered out.

Reference: https://en.wikipedia.org/wiki/Common_Vulnerability_Scoring_System

This article was last updated on 2018-06-27
VL