Determining Importance with Objective Vulnerability Scoring

The holiday season is upon us, and nearly every day, my wife asks me what I want for Christmas. As a pop culture geek with interests in most fandoms, I have dozens of items that I could ask for, but the ultimate question is what do I really want to ask her to spend money on.

In a perfect and very geeky world, I would likely come up with a method of measuring my interests, but in reality, I’m ultimately going to just pick an item near and dear to my heart. That’s because our choices in situations like this tend to be subjective.

While these types of determinations of importance should be subjective, we often see subjective vulnerability scoring that should be objective. Systems like High, Medium, Low, and 1-5 are not objective and provide minimal value when prioritizing risk in your environment.

There are better ways to prioritize risk.

The most famous example would be CVSS, a system which is available in every vulnerability management solution. With CVSSv2, we saw vendors take their own twists on the calculation, sometimes adding their own scoring levels. We also saw instances where scores were calculated differently based on personal opinion. CVSSv3 has improved upon this with stricter definitions, but score generation still manages to be subjective as some definitions are ignored and redefined. At this time, however, it is the most accurate and valuable publicly available scoring system.

The Tripwire IP360 Scoring System is as objective as they come and factors in all the criteria critical to your environment including vulnerability age, level of access, and ease of attack. It provides Tripwire IP360 users with a clearly defined prioritization that makes resolving vulnerabilities an objective process.

Should you require more for your environment, ASPL-Based Scoring allows customers to tweak the Tripwire IP360 scoring system while knowing that the foundation is still completely objective.

There are times when you need customization in your environment, but you should be allowed to determine where that customization occurs. If everyone else applies their own customizations (as seems to sometimes be the case with other popular scoring systems), it’s impossible to know if they make sense in your environment.

With ASPL-Based Scoring, Tripwire’s ASPL (content) packages contain our trusted, objective scoring while still allowing you the flexibility to know that critical issues in your environment are elevated with subtle tweaks to the Tripwire IP360 score of a specific vulnerability.

Don’t let your vulnerability management system provide you with a vulnerability prioritization similar to how you select a gift. Instead, rely on a scientific approach that gives clear, concise results every time.

Either way, use the vulnerability prioritization as a good way to prioritize your issues.


via:  tripwire

Save pagePDF pageEmail pagePrint page

Leave a Reply

Your email address will not be published. Required fields are marked *