Samenvatting
CVSS score is widely used as the standard-de-facto risk metric for vulnerabilities, to the point that the US Government itself encourages organizations in using it to prioritize vulnerability patching. We tackle this approach by testing the CVSS score in terms of its efficacy as a "risk score" and "prioritization metric." We test the CVSS against real attack data and as a result, we show that the overall picture is not satisfactory: the (lower-bound) over-investment by using CVSS to choose what vulnerabilities to patch can as high as 300% of an optimal one. We extend the analysis making sure to obtain statistically significant results. However, we present our results at a practical level, focusing on the question: "does it make sense for you to use CVSS to prioritize your vulnerabilities?"
| Originele taal-2 | Engels |
|---|---|
| Titel | BlackHat USA 2013 |
| Aantal pagina's | 24 |
| Status | Gepubliceerd - 2013 |
| Extern gepubliceerd | Ja |
| Evenement | blackhat USA 2013, 27 July-1 August 2013, Las Vegas, USA - Las Vegas, Verenigde Staten van Amerika Duur: 27 jul. 2013 → 1 aug. 2013 https://www.blackhat.com/us-13/briefings.html#Allodi |
Congres
| Congres | blackhat USA 2013, 27 July-1 August 2013, Las Vegas, USA |
|---|---|
| Verkorte titel | Blackhat2013 |
| Land/Regio | Verenigde Staten van Amerika |
| Stad | Las Vegas |
| Periode | 27/07/13 → 1/08/13 |
| Internet adres |
Vingerafdruk
Duik in de onderzoeksthema's van 'How CVSS is DOSsing your patching policy (and wasting your money).'. Samen vormen ze een unieke vingerafdruk.Onderzoekersoutput
- 1 Tijdschriftartikel
-
Comparing vulnerability severity and exploits using case-control studies
Allodi, L. & Massacci, F., 2014, In: ACM Transactions on Information and System Security. 17, 1, blz. 1-20 1.Onderzoeksoutput: Bijdrage aan tijdschrift › Tijdschriftartikel › Academic › peer review
163 Link wordt geopend op een nieuw tabblad Citaten (Scopus)
Citeer dit
- APA
- Author
- BIBTEX
- Harvard
- Standard
- RIS
- Vancouver