The Common Vulnerability Scoring System (CVSS), which is used by many in the industry as a standard way to assess and score security vulnerabilities, is evolving to a new version known as CVSSv3. These changes addressed some of the challenges that existed in CVSSv2; CVSSv3 analyzes the scope of a vulnerability and identifies the privileges an attacker needs to exploit it. The enhancements to CVSS will allow vendors, such as Cisco, to better analyze security vulnerability impact. The changes will also more clearly define the urgency of responding to the vulnerability for our customers.
Cisco will begin to adopt CVSSv3 for assessing security vulnerabilities in the fourth quarter of calendar year 2016 (Q4CY16).
CVSS is the industry-open standard designed to convey the common attributes of vulnerabilities in computer hardware and software systems. Cisco uses it to provide a score for each vulnerability in security advisories. CVSS was developed as a cooperative effort between the National Infrastructure Advisory Council and a number of security industry vendors and research organizations, including Cisco. The Forum of Incident Response and Security Teams (FIRST) has been designated as the custodian of CVSS to promote its adoption globally. This new version was under development for 3 years, and Cisco was a contributor to the standard.
Effects of Introducing CVSSv3
The following study reviews the difference in scores when a vulnerability is assessed using CVSSv2 vs. CVSSv3. The stakeholders at FIRST have done a great job in this new version of the standard addressing some of the challenges faced with its predecessor (CVSSv2). As more organizations begin to adopt this new standard in their processes for evaluating vulnerabilities, there will be some visible changes in disclosure trends overall. The most notable is an increase in the total number of higher-rated vulnerabilities. This increase occurs because the metrics changes in the new system. As the threat landscape evolves, there are more cases where an increased sense of urgency is needed in customers’ responses.
This study analyzed the difference between CVSS version 2 and version 3 scores. This study uses CVSSv2 and CVSSv3 scores provided by the National Vulnerability Database (NVD). A total of 745 vulnerabilities were analyzed, and each vulnerability is identified by a Common Vulnerabilities and Exposures (CVE) identifier. All the vulnerabilities were disclosed in 2016.
The goal was to identify the percentage of vulnerabilities that had a score increase or decrease, based on the two versions of the protocol (CVSSv2 vs. CVSSv3).
Hello everybody. Regarding the CASE API (https://developer.cisco.com/docs/support-apis/#!case), is there a way for gathering cases that belong to a specific customer? The API has only GET based on case ID, contract and user assigned. If not, is there...
Hello,Using the Product Information API and based on documentation below.orderable_statushas 3 possible values O = ORDERABLEN = NON_ORDERABLEEOX = End of LifeBut in my query it always shows empty.Cisco Public------------------------------------"produ...
Hi all, I am currently trying to retrieve information from Cisco CCW-R's REST API as described on devnet, using the APIs on the developer portal. I keep getting responses that my application's access to the API has been revoked. Is there a special pr...
Hi Team,I am trying to get bug information using api with bug id ex.https://api.cisco.com/bug/v2.0/bugs/bug_ids/CSCdr72939.But i am getting not authorized message. Step I flowed.1, Got access to PSIRT openVuln API from API console2, Using ID and Key ...
Hello,We are developing a network monitoring piece of software. To create monitoring presets, we would need to actually access a number of Cisco devices (via HTTPS/SNMP), within a sandbox environment.I noticed there are several 'Cisco devices on ren...