P
ParanoidMike
It appears that there are multiple forces driving the adoption of CVSS
over proprietary, opaque vulnerability rating systems (cf.
http://www.microsoft.com/technet/security/bulletin/rating.mspx):
1. NIST/FIRST recently updated CVSS to version 2.0 (http://
www.first.org/cvss), demonstrating that this is a viable, healthy
system worthy of significant enhancements.
2. There are increasing signs that major vendors are adopting CVSS
(e.g. NIST, DHS, IBM, Qualys, Cisco, Amazon - http://www.first.org/cvss/eadopters.html).
These are not the kinds of players to which Microsoft is typically
hostile or reticent to join in industry-wide security efforts.
MSRC has been using the CVE standard vulnerability identifiers for
quite a while, and I notice that the CVE articles call out CVSS
ratings as a primary metric (so there's an implicit compatibility and
alignment with the MSRC's direction).
Many of the factors that historically went into the proprietary MSRC
rating system are similar if not identical to the factors included in
CVSS v2. As well, I see that CVSS allows for "environmental factors"
that are specific to each organization, so I'd imagine that any
objection that "this doesn't fit our needs" should have been addressed
there.
So the ultimate question is this: when does MSRC plan to make the
switch to CVSS v2 in their bulletins? It seems to me that this is a
question not of IF, but HOW LONG it'll take Microsoft to muster up the
strength and energy to tear themselves away from a 5+-year-old
proprietary assessment system, and join with the rest of the industry
leaders in giving their customers consistency for enterprise IT
planning.
Cheers,
Mike
over proprietary, opaque vulnerability rating systems (cf.
http://www.microsoft.com/technet/security/bulletin/rating.mspx):
1. NIST/FIRST recently updated CVSS to version 2.0 (http://
www.first.org/cvss), demonstrating that this is a viable, healthy
system worthy of significant enhancements.
2. There are increasing signs that major vendors are adopting CVSS
(e.g. NIST, DHS, IBM, Qualys, Cisco, Amazon - http://www.first.org/cvss/eadopters.html).
These are not the kinds of players to which Microsoft is typically
hostile or reticent to join in industry-wide security efforts.
MSRC has been using the CVE standard vulnerability identifiers for
quite a while, and I notice that the CVE articles call out CVSS
ratings as a primary metric (so there's an implicit compatibility and
alignment with the MSRC's direction).
Many of the factors that historically went into the proprietary MSRC
rating system are similar if not identical to the factors included in
CVSS v2. As well, I see that CVSS allows for "environmental factors"
that are specific to each organization, so I'd imagine that any
objection that "this doesn't fit our needs" should have been addressed
there.
So the ultimate question is this: when does MSRC plan to make the
switch to CVSS v2 in their bulletins? It seems to me that this is a
question not of IF, but HOW LONG it'll take Microsoft to muster up the
strength and energy to tear themselves away from a 5+-year-old
proprietary assessment system, and join with the rest of the industry
leaders in giving their customers consistency for enterprise IT
planning.
Cheers,
Mike