Understanding Software Exploit Scoring Today

Even with years of related industry experience an individual can become lost in all of the acronyms surrounding security vulnerabilities in modern software. Several of these acronyms exist, and many of them are very similar. Some of the most common are discussed below.

CWE- Common Weakness Enumeration & CVE- Common Vulnerabilities and Exposures

CVE and CWE seem to be often muddled up, therefore, we will use this as our starting point.  A CVE or common vulnerability and exposures is specific to the application. Where as a CWE focuses on understanding the underlying cause of the vulnerability. If you research CVE-2005-3299 you will find an old vulnerability within PhpMyAdmin. In this particular vulnerability an attacker could exploit PhpMyAdmin to view files which weren’t intended for them through an attack known as local file inclusion.  As you can see here not much information is really given surrounding successful exploitation, but if we look at CWE-22 & CWE-23 , we can see much more information about the surrounding attack itself.  Readers will learn the techniques used in exploiting the local file inclusion, not about the specific software vulnerable to this type attack.  The CVE is specific to the application which is vulnerable, while the CWE is focused on understanding what is cause of the issue. By reading the CWE, we now understand how an attacker can exploit the CVE, or more accurately measure the risk of specific software you may have in your environment.

The information pertaining to applicable CVE’s and CWE’S  is of great use for those whom are trying to defend your organization.  Many places on the web have this information however the NVD, or National Vulnerability Database is the authority on the matter.  The severity of these vulnerabilities are ranked according to an open standard known as CVSS or common vulnerability scoring system.  The CVSS score alerts security professionals to the severity of the vulnerability found, like a ranking system.

According to WikipediaScores are calculated based on a formula that depends on several metrics that approximate ease of exploit and the impact of exploit. Scores range from 0 to 10, with 10 being the most severe.

This allows security professionals to make more informed decisions surrounding securing the vulnerability, because they are able to address the concern with accurate, impactful knowledge which they can formulate a plan of action.

SCAP – Security Content Automation Protocol

Because of the amount of different types of software in a given corporate network environment, security professionals needed a way to quickly and accurately determine if any given software had any known vulnerabilities.  This need led to the invention of SCAP or the Security Content Automation Protocol. Security professionals needed a way to keep up, and SCAP was the answer. SCAP allows for automation. Vulnerability scanning solutions like OpenVas, Nessus, and InsightVM all ingest SCAP data into their applications, which in turn automates the process of finding known vulnerabilities through scanning endpoints for matching application fingerprints.  

A Brief recap

CVE pertains to a specific software vulnerability, while a CWE focuses on the understanding how/why the vulnerability exists.  CVE’s are ranked by CVSS, which is centralized in the NVD. Lastly SCAP is the protocol which allows for automated scanners to ingest data for future scanning.

If your company is interested in doing more with vulnerability management, we can help!  Reach out to schedule a demo, and see how we can “Ignyte” your corporate security.

Must read Blog article on Benefits of a Secure Software Development Life Cycle (SDLC)

Ignyte Platform becomes a third-party assessment organization (3PAO), now listed on the FedRAMP Marketplace - Read More