How CVSS is DOSsing your patching policy (and wasting your money).

L. Allodi, F. Massacci

Research output: Chapter in Book/Report/Conference proceedingConference contributionProfessional

2311 Downloads (Pure)

Abstract

CVSS score is widely used as the standard-de-facto risk metric for vulnerabilities, to the point that the US Government itself encourages organizations in using it to prioritize vulnerability patching. We tackle this approach by testing the CVSS score in terms of its efficacy as a "risk score" and "prioritization metric." We test the CVSS against real attack data and as a result, we show that the overall picture is not satisfactory: the (lower-bound) over-investment by using CVSS to choose what vulnerabilities to patch can as high as 300% of an optimal one. We extend the analysis making sure to obtain statistically significant results. However, we present our results at a practical level, focusing on the question: "does it make sense for you to use CVSS to prioritize your vulnerabilities?"
Original languageEnglish
Title of host publicationBlackHat USA 2013
Number of pages24
Publication statusPublished - 2013
Externally publishedYes
Eventblackhat USA 2013, 27 July-1 August 2013, Las Vegas, USA - Las Vegas, United States
Duration: 27 Jul 20131 Aug 2013
https://www.blackhat.com/us-13/briefings.html#Allodi

Conference

Conferenceblackhat USA 2013, 27 July-1 August 2013, Las Vegas, USA
Abbreviated titleBlackhat2013
Country/TerritoryUnited States
CityLas Vegas
Period27/07/131/08/13
Internet address

Fingerprint

Dive into the research topics of 'How CVSS is DOSsing your patching policy (and wasting your money).'. Together they form a unique fingerprint.

Cite this