CVSS score is widely used as the standard-de-facto risk metric for vulnerabilities, to the point that the US Government itself encourages organizations in using it to prioritize vulnerability patching. We tackle this approach by testing the CVSS score in terms of its efficacy as a "risk score" and "prioritization metric." We test the CVSS against real attack data and as a result, we show that the overall picture is not satisfactory: the (lower-bound) over-investment by using CVSS to choose what vulnerabilities to patch can as high as 300% of an optimal one. We extend the analysis making sure to obtain statistically significant results. However, we present our results at a practical level, focusing on the question: "does it make sense for you to use CVSS to prioritize your vulnerabilities?"
|Title of host publication||BlackHat USA 2013|
|Number of pages||24|
|Publication status||Published - 2013|
|Event||blackhat USA 2013, 27 July-1 August 2013, Las Vegas, USA - Las Vegas, United States|
Duration: 27 Jul 2013 → 1 Aug 2013
|Conference||blackhat USA 2013, 27 July-1 August 2013, Las Vegas, USA|
|Period||27/07/13 → 1/08/13|