6 min read
by Tomer Dvir
Published on 06/21/2022
Last updated on 02/05/2024
Published on 06/21/2022
Last updated on 02/05/2024
Understanding the vulnerability scoring system (CVSS)The Common Vulnerability Scoring System (CVSS) is a public information repository that assigns a score to known software vulnerabilities based on their severity and scope. The goal of the scores is to help developers, IT admins and other stakeholders easily determine which vulnerabilities require urgent attention, and which are less critical. "It’s designed to provide open and universally standard severity ratings of software vulnerabilities" National Infrastructure Advisory Council The scores are based on three main metrics: Base, temporal and environment: By assessing these metrics in tandem, CVSS assigns overall scores to each vulnerability. The most important set of metrics for CVSS score calculation are those in the base category:
- Attack vector: The means by which the vulnerability can be exploited.
- Attack complexity: The difficulty of achieving the condition that must exist in order to exploit the vulnerability.
- Privileges required: The level of privilege an attacker must possess in order to exploit the vulnerability.
- User interaction: The requirement for a human user other than the attacker to participate in the exploitation of a vulnerable component.
- Scope: The number of resources impacted by the vulnerability (in other words, whether the vulnerability impacts just one part of an application or environment, or many).
- Confidentiality: The impact of the amount of confidential information that the vulnerability places at risk.
- Integrity: The extent to which the vulnerability disrupts the integrity and health of an environment.
- Availability: The degree to which the vulnerability may cause a resource to become unavailable.
Additional CVSS metricsThe temporal and environment metrics are considered non-mandatory when calculating CVSS scores, but they are often used to provide additional context for score calculation. In the temporal category, these additional calculation factors include:
- Exploit code maturity: An assessment of how likely it is that the vulnerability will be exploited by real-world threat actors.
- Remediation level: How difficult it is to remediate the risk.
- Report confidence: The level of confidence that security researchers have in the accuracy of their vulnerability assessment.
- Confidentiality requirement: Whether confidential information is necessary to exploit the vulnerability.
- Integrity requirement: The risk that environmental integrity will be lost during an exploit. Availability requirement: The risk that environment availability will be lost during an exploit.
- Modified attack vector: Whether the environment can be modified to enable the exploit.
- Modified attack complexity: When the environment can be modified to simplify vulnerability exploitation.
- Modified privileges required: Whether attackers can modify privileges to exploit a vulnerability that they otherwise would not have privileges to exploit.
- Modified user interaction: Whether attackers can manipulate user interactions to simplify attack.
- Modified scope: Whether attackers can extend the scope of an attack beyond the base components it affects.
- Modified confidentiality: Whether the attacks can be modified to access additional confidential information.
- Modified integrity: Whether the exploit can affect the integrity of the environment in additional ways when the environment is modified.
- Modified availability: Whether the exploit can cause a greater disruption to environment availability in a modified environment.
Vulnerability assessment scoring in PanopticaPanoptica uses data from the Common Vulnerability Scoring System (CVSS) to not only identify API vulnerabilities, but also to score and assess them to provide deep visibility into the severity of the threat. You can access CVSS scores on the Web. But with Panoptica, there’s no need to go hunting down this information in your browser. Panoptica displays CVSS data right alongside information about API vulnerabilities that Panoptica discovers. For each image, you’ll see a list of vulnerabilities, along with a score: In addition to displaying the score, Panoptica breaks it down so you know why the vulnerability received the score it did. This data is based on CVSS scores, but it’s more than that. Panoptica also identifies the variables used in your environment to provide the most accurate score assessment possible. For example, Panoptica considers factors like attack complexity based on your configuration. If attack complexity is low, the vulnerability score will be higher. Attacks that are more complex, and therefore harder to execute, will receive lower scores. As another example, take an attack vector, which identifies how a given vulnerability can be exploited. If the attack vector is present in your configuration, the vulnerability will receive a higher score than it would if the attack couldn’t actually be executed in your environment. Likewise, attack scores will be higher if the privileges required to execute the attack are available to attackers based on your configuration. In total, Panoptica relies on eight variables to determine how vulnerable each API is in your setup. With this information, you can make informed decisions for yourself about how to handle each vulnerability. For vulnerabilities with high scores, you’ll probably want to act urgently by blocking vulnerable requests. Lower-scored vulnerabilities may not require immediate action.
Winning the API Security BattleKnowing which API security vulnerabilities exist in your environment is only half the battle – if that. What really matters is gaining the visibility and clarity necessary to determine how serious a given vulnerability is. Panpptica makes this easy to do. By leveraging CVSS data and customized assessments of your environment, Panoptica delivers tailored vulnerability scoring to help you react as effectively as possible to whichever risks may arise in your environment. Learn more by requesting a Panoptica trial.
Get emerging insights on emerging technology straight to your inbox.
Unlocking Multi-Cloud Security: Panoptica's Graph-Based Approach
Discover why security teams rely on Panoptica's graph-based technology to navigate and prioritize risks across multi-cloud landscapes, enhancing accuracy and resilience in safeguarding diverse ecosystems.
The Shift keeps you at the forefront of cloud native modern applications, application security, generative AI, quantum computing, and other groundbreaking innovations that are shaping the future of technology.