CVSS 4.0 Is Here, but Prioritizing Patches Still a Hard Problem

  /     /     /  
Publicated : 23/11/2024   Category : security

CVSS 4.0 Is Here, but Prioritizing Patches Still a Hard Problem


CVSS Version 4 arguably performs better, but companies also need to tailor any measure of threat to their own environment to quickly evaluate new software bugs for patching order.


The soon-to-be-released Version 4.0 of the Common Vulnerability Scoring System (CVSS) promises to fix a number of issues with the severity metric for security bugs. But vulnerability experts say that prioritizing patches or measuring exploitability will still be a tough nut to crack.
The Forum of Incident Response and Security Teams (FIRST) released a preview of the next version of the CVSS last week at its annual conference. Version 4 will do away with the vague temporal metric, replacing it with the more descriptive threat metric and it will add other factors to the base metric calculation. The changes improve the overall usability of CVSS, according to FIRST, which added that companies and organizations can try the metric for grading current vulnerabilities and provide feedback prior to the launch of the general release.
CVSS 4 adds two new factors for companies to use in calculating the base metric: Attack Requirements (AT) and User Interaction (UI), measuring the complexity of the attack and whether an attack requires user interaction, according to
a description of the new specification
. In addition, a component of the CVSS is the environmental score, which is company-specific and measures the impact a vulnerability can have on their IT environment.
[T]his latest release marks a significant step forward with added capabilities crucial for teams with the importance of using threat intelligence and environmental metrics for accurate scoring at its core, FIRST
said in a statement on the preview release of CVSS 4
.
A better Common Vulnerability Scoring System could give companies a better approach to deciding which vulnerabilities should
receive priority for patching
, but it shouldnt be seen as a panacea, say experts.
When it comes to determining exploitability, one of the biggest metrics that organizations use to prioritize patches, companies have a number of tools. They can use the CVSS, the Known Exploited Vulnerability (KEV) list from the US Cybersecurity and Infrastructure Security Agency (CISA), the
Exploit Predication Scoring System (EPSS)
, or other proprietary systems, such as
the Coalition Exploit Scoring System
. Yet, any approach has to match an organizations capabilities and resources, says Sasha Romanosky, a senior policy researcher with RAND Corp., a global policy and research think tank.
The issue is not so much [which approach], but the strategy one uses that produces the best — that is, prioritized — list for their organization, says Romanosky, a contributor to both CVSS and EPSS. Weve come to learn that CVSS is not a good predictor of threat — exploitation — [on its own, and] that was a tough pill for us, the creators [of] CVSS, to swallow, but its the reality.
Knowing the systems that are part of an organizations attack surface area, for example, is critical, says Dustin Childs, head of threat awareness for Trend Micros Zero Day Initiative (ZDI).
One thing I always recommend is to be ruthless in your asset discovery and understand which systems are key to your business, he says. That will help prioritization.
The new CVSS still faces hurdles when it comes to providing actionable assessments for prioritization. For instance, exploitability metrics also need to be generated quickly, so that organizations have guidance as soon as possible for making decisions over prioritizing patching, says Scott Walsh, a senior security researcher at Coalition, an active-protection cyber-insurance firm.
When a new CVE is announced, risk managers and defenders may turn to the CVSS or the EPSS for severity and exploitability scores, but these industry-standard systems often take time to score new CVEs — anywhere from a week to up to a month, he says. During this time, organizations dont always know which vulnerabilities have the highest potential to negatively affect their individual digital ecosystems and technologies.
In addition, the latest CVSS can be complex to decipher, with nearly two dozen attributes used to calculate the base metric — complexity that could hinder security teams ability to gauge their risk.
These variables will require multiple business units to agree upon the impacts and requirements, he says. In security, time is of the essence, and quickly responding can be the difference between successfully preventing an attack or being a victim. These variables make the vulnerability evaluation process slow and cumbersome when responding to a new threat.

Last News

▸ ArcSight prepares for future at user conference post HP acquisition. ◂
Discovered: 07/01/2025
Category: security
▸ Samsung Epic 4G: First To Use Media Hub ◂
Discovered: 07/01/2025
Category: security
▸ Many third-party software fails security tests ◂
Discovered: 07/01/2025
Category: security


Cyber Security Categories
Google Dorks Database
 		Exploits Vulnerability
 		Exploit Shellcodes

CVE List
 		Tools/Apps
 		News/Aarticles

Phishing Database
 		Deepfake Detection
 		Trends/Statistics & Live Infos



Tags:
CVSS 4.0 Is Here, but Prioritizing Patches Still a Hard Problem