Excuses Not To Use CVSS

Andrew Jaquith
Andrew Jaquith ∙ Managing Director, Markerbench
2 min read ∙ July 25, 2007

I have always been a fan of the good work done by the CVSS folks. I have an obvious reason to like CVSS, of course: namely, to cheer on a former co-worker, Mike “Shifty” Schiffman, who was of the first version’s authors. But more than that, I like CVSS because it is a bold attempt to create a scoring system for vulnerabilities that is objective and independent of any single vendor’s spin. As an industry, we need this. I reference, and commend, CVSS in my book Security Metrics.

Today, Computerworld reports that CVSS version2 is now out. That’s great news; congratulations to Gavin and the rest of the team. I hope Microsoft and other vendors actually start using it.

One thing about that Computerworld story that annoyed me, however, was Robert Beggs’ comment that enterprises shouldn’t use CVSS to “manage by the numbers.” Specific critiques of CVSS aside, why shouldn’t we do that? Isn’t that the point of measuring things? I guess we should manage by voodoo instead.

Honestly, I find comments like this exasperating. On the other hand, you never know what a reporter is going to pick up on and write in a column. I’ve said some damned silly things, as throwaways, that were printed. (My comment to InformationWeek’s Marty Garvey, calling Mozilla’s tabbed browsing feature “the best thing since sliced bread,” is one such stinker that got printed.)