ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
Vulnerability scoring for security configuration settings
Full text PdfPdf (187 KB)
Source
Conference on Computer and Communications Security archive
Proceedings of the 4th ACM workshop on Quality of protection table of contents
Alexandria, Virginia, USA
SESSION: Security measurement table of contents
Pages 3-8  
Year of Publication: 2008
ISBN:978-1-60558-321-1
Authors
Karen Scarfone  NIST, Gaithersburg, MD, USA
Peter Mell  NIST, Gaithersburg, MD, USA
Sponsors
SIGSAC: ACM Special Interest Group on Security, Audit, and Control
ACM: Association for Computing Machinery
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 13,   Downloads (12 Months): 150,   Citation Count: 0
Additional Information:

abstract   references   index terms   collaborative colleagues  

Tools and Actions: Request Permissions Request Permissions    Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/1456362.1456365
What is a DOI?

ABSTRACT

The best-known vulnerability scoring standard, the Common Vulnerability Scoring System (CVSS), is designed to quantify the severity of security-related software flaw vulnerabilities. This paper describes our efforts to determine if CVSS could be adapted for use with a different type of vulnerability: security configuration settings. We have identified significant differences in scoring configuration settings and software flaws and have proposed methods for accommodating those differences. We also generated scores for 187 configuration settings to evaluate the new specification.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

 
1
Forum of Incident Response and Security Teams. CVSS Adopters. http://www.first.org/cvss/eadopters.html
 
2
Mell, P., Scarfone, K., and Romanosky, S. A Complete Guide to the Common Vulnerability Scoring System Version 2.0. Forum of Incident Response and Security Teams, June 2007. http://www.first.org/cvss/cvss-guide.html
 
3
MITRE Corporation. Common Configuration Enumeration (CCE). http://cce.mitre.org/
 
4
MITRE Corporation. Common Vulnerabilities and Exposures (CVE). http://cve.mitre.org/
 
5
National Institute of Standards and Technology. National Vulnerability Database. http://nvd.nist.gov/
 
6
Scarfone, K. and Grance, T. A Framework for Measuring the Vulnerability of Hosts. In Proceedings of the 2008 1st International Conference on Information Technology (Gdansk, Poland, May 19--21, 2008). IT 2008. Gdansk University of Technology, Gdansk, Poland, 145--148.
 
7
Scarfone, K. and Mell, P. Draft NIST Interagency Report 7502: The Common Configuration Scoring System (CCSS). NIST, May 2008. http://csrc.nist.gov/publications/PubsNISTIRs.html

INDEX TERMS

Primary Classification:
  D. Software
  D.2 SOFTWARE ENGINEERING
      D.2.8 Metrics
          Subjects: Product metrics


General Terms:
Experimentation, Management, Measurement, Security


Keywords:
common configuration scoring system (ccss), common vulnerability scoring system (cvss), risk assessment, security configuration, vulnerability, vulnerability scoring

Collaborative Colleagues:
Karen Scarfone: colleagues
Peter Mell: colleagues

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player