The Common Misuse Scoring System: Metrics for Software Feature Misuse Vulnerabilities (Interagency Report 7864) has been published today by NIST.
Common Misuse Scoring System (CMSS), defined in NIST IR 7864, describes vulnerabilities that are mis-use of intended software features. This is in contrast to the more well-known and complementary system of vulnerability categorisation Common Vulnerability Scoring System (CVSS), defined in NIST IR 7435, which classifies unintended errors in the design or coding of software (v2 guide). Additionally, there is already another related categorisation for configuration settings that impact the security of a system — Common Configuration Scoring System (CCSS) defined in NIST IR 7502.
CMSS (and CCSS) define methods of calculating base, temporal and environmental scores and associated vectors for vulnerabilities in a similar way to CVSS. The base metrics use the same six metrics and the same equations for calculating scores as CVSS although the descriptions have been amended to suit the context. The temporal components are much more different, since aspects like availability of exploit code, the level of available remediations for the software flaw, and the confidence in the existence of the vulnerability have little meaning for misuse and there is not necessarily ever going to be complete remediations available. The environmental metrics are more complex than CVSS and include Perceived Target Value, which measures how attackers value the targets in the environment as opposed to other environments, and Local Remediation Level, which measures the effectiveness of mitigation measures in the local environment.
Some software misuse vulnerability examples are:
- Bypass file upload anti-virus scanning by changing file extension
- Attacker impersonating a valid user
- User follows link to a spoofed website
There is no current dictionary of software misuse vulnerabilities, and this publication is an attempt to be a discussion document to agree a definition of CMSS. This could then lead to the creation of a dictionary and methods for organisations to use CMSS to assist with threat models, risk assessments and security analysis activities.
I like the concept. CVSS can be difficult to apply meaningfully and consistently to many application issues and this may well help organisations get a better grasp on the business impact rather than technical impacts on an individual system. More about this in my talk at AppSec Research 2012 tomorrow.
Posted on: 11 July 2012 at 20:49 hrs