11 July 2012

Common Misuse Scoring System (CMSS)

The Common Misuse Scoring System: Metrics for Software Feature Misuse Vulnerabilities (Interagency Report 7864) has been published today by NIST.

Photograph of a constantly morphing geometric wall-mounted exhibit seen during Clerkenwell Design Week 2012

Common Misuse Scoring System (CMSS), defined in NIST IR 7864, describes vulnerabilities that are mis-use of intended software features. This is in contrast to the more well-known and complementary system of vulnerability categorisation Common Vulnerability Scoring System (CVSS), defined in NIST IR 7435, which classifies unintended errors in the design or coding of software (v2 guide). Additionally, there is already another related categorisation for configuration settings that impact the security of a system — Common Configuration Scoring System (CCSS) defined in NIST IR 7502.

CMSS (and CCSS) define methods of calculating base, temporal and environmental scores and associated vectors for vulnerabilities in a similar way to CVSS. The base metrics use the same six metrics and the same equations for calculating scores as CVSS although the descriptions have been amended to suit the context. The temporal components are much more different, since aspects like availability of exploit code, the level of available remediations for the software flaw, and the confidence in the existence of the vulnerability have little meaning for misuse and there is not necessarily ever going to be complete remediations available. The environmental metrics are more complex than CVSS and include Perceived Target Value, which measures how attackers value the targets in the environment as opposed to other environments, and Local Remediation Level, which measures the effectiveness of mitigation measures in the local environment.

Some software misuse vulnerability examples are:

  • Bypass file upload anti-virus scanning by changing file extension
  • Attacker impersonating a valid user
  • User follows link to a spoofed website

There is no current dictionary of software misuse vulnerabilities, and this publication is an attempt to be a discussion document to agree a definition of CMSS. This could then lead to the creation of a dictionary and methods for organisations to use CMSS to assist with threat models, risk assessments and security analysis activities.

I like the concept. CVSS can be difficult to apply meaningfully and consistently to many application issues and this may well help organisations get a better grasp on the business impact rather than technical impacts on an individual system. More about this in my talk at AppSec Research 2012 tomorrow.

Posted on: 11 July 2012 at 20:49 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

Comments

Comments are filtered automatically and should appear shortly after they been checked.

Post a comment
Confirm acceptance and understanding of the terms of use
New posts to this thread will be sent to your email address
Common Misuse Scoring System (CMSS)
http://www.clerkendweller.com/2012/7/11/Common-Misuse-Scoring-System-CMSS
ISO/IEC 18004:2006 QR code for http://clerkendweller.com

Page http://www.clerkendweller.com/2012/7/11/Common-Misuse-Scoring-System-CMSS
Requested by 107.20.7.65 on Thursday, 20 June 2013 at 07:02 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use http://www.clerkendweller.com/page/terms
Privacy statement http://www.clerkendweller.com/page/privacy
© 2012-2013 clerkendweller.com