In this video, learn about the Common Vulnerability Scoring System (CVSS), CVSS scores, and how they can be used to help determine the risks that vulnerabilities pose.
- [Instructor] In the late nineties and early two thousands, vulnerability disclosure and reporting were a bit like the wild wild West. The same vulnerability could have a different name, description and even risk rating, depending on which security vendor you used for vulnerability detection. I remember reading about a brand new vulnerability on a particular vendor's website that vendor gave the vulnerability name. Let's just say Alpha. I was using a different vendor for vulnerability scanning and I wanted to see if my scanner can detect it. So I logged into it and search for Alpha but got no results. Now this particular vulnerability was a big deal at that time. And I knew my scanner had to have a check for it. So I went and read through every single check that had been released that week, lo and behold it was there but with a different name. The lack of standardization made it very difficult to research and track vulnerabilities. In 2005 CVSS version one was created with the goal of providing open and universally standards, severity ratings of software vulnerabilities. CVSS became the gold standard for scoring the risks posed by vulnerabilities. Around the same time that CVSS was created, NIST was creating the NVD to collect vulnerability data in the form of CVE's. Eventually, because of the broad adoption of CVSS scoring, it was incorporated into the vulnerability disclosure process with NVD, overseeing the process and storing all of the data. Today, the whole vulnerability disclosure process gives security pros the ability to uniquely identify vulnerabilities and understand the risks. First vulnerabilities are reported to the NVD, there they assign a CVE number. Then the vulnerability is analyzed and a base CVSS score is assigned within a few business days. NVD serves as a central clearing house for vulnerabilities and provides much needed standardization. As a result, it's much less common to see a single vulnerability referred to by different names and with different risk scores. Today, CVSS scores are a common language to communicate the risks posed by vulnerabilities.