Tripwire has included '
comprehensive platform support' for Common Vulnerability Scoring System (CVSS) version 3.0 in Tripwire® IP360TM, making it easy to share vulnerability and risk information across organizations. CVSS is a universal open, standardized system for rating IT vulnerabilities and determining the urgency of response. CVSS is developed by The Forum of Incident Response and Security Teams (FIRST) and the most recent version has been under development since 2012. CVSS 3.0 includes several new metrics designed to improve the accuracy of the standard including metrics that more clearly reflect new attack vectors and recent changes in the threatscape.
In addition to CVSS 3.0 support, Tripwire IP360 is the industry leader in comprehensive and customizable vulnerability scoring solutions. Tripwire IP360 uses a unique scoring model that provides a distinction between vulnerable conditions by using an atomic measurement of risk that changes over time based on factors that are independent of the system or network that exhibits the vulnerability. Tripwire’s scoring model also incorporates the unique business context of each asset.
“The Tripwire Vulnerability Score allows customers to prioritize vulnerabilities for remediation at a granular level, but it’s important to also represent vulnerability risk in industry standard metrics,” said Tim Erlin, director of IT risk and security strategy for Tripwire. “CVSS is a key metric across industries and Tripwire’s support for CVSS 3.0, the Tripwire Vulnerability Score and summary reporting gives customers the ability to measure and manage risk at multiple levels and for multiple audiences and demonstrates our continuing leadership in vulnerability management scoring.”
CVSS is an open framework designed to clearly communicate the characteristics and impacts of IT vulnerabilities. It uses a quantitative model designed to provide a consistent, standardized and transparent measurement system for IT vulnerabilities which can be used across industries, organizations and governments.
New CVSS 3.0 features include:
- Exploitability metrics are now calculated separately for vulnerable and impacted components. These distinctions are important in many web application and cross-site vulnerabilities as well as escapes from sandboxes and guest virtual machines.
- The attack vector metric now includes physical access as a possible value to more accurately describe attacks that require physical access to a vulnerable subsystem.
- The authentication metric has been changed and is now referred to as the privileges required metric. It reflects the greatest privileges required by an attacker.
- The impact metric has shifted from quantitative to qualitative values.
- The new vulnerability chaining metric offers guidance on scoring multiple vulnerabilities.
