Monday, August 5, 2013

CVSS is insufficient for risk determination

No, I didn't attend BH/DC/BSLV this past week... that makes it about a decade since I last attended.  I did try to catch up on some of the more interesting talks.

This one from the Risk I/O gang on CVSS trends 1 really struck me.   A good talk, watch the whole thing if you haven't. They talk about how organizations are using CVSS scores to determine patching priority (or in many cases, patch or no patch) and how this yields a very low effectiveness against breaches.

My question:  Do people not read? The "V" is CVSS stands for vulnerability.   Vulnerability != Risk.  Vulnerability is part of the risk equation.   About one third of the part of the standard risk formula.   And any case, are people reading the actual vulnerability ?  Or are they just taking the score and blindly applying it to their patch program?

Never mind.


  1. BTW, I remember when Risk I/O was HoneyApps and they were just launching. Bright guys but when they pitched to me, I asked if I could apply risk models to my stored vuln data.  They said no, I couldn't.  So I wasn't really interested in their service.  I see they've since pivoted to match the market demand.  Good for them.