CVSS 4.0 — What’s New?
The latest version of the Common Vulnerability Scoring System, CVSS 4.0, entered its public preview phase at the 35th annual FIRST conference put on by FIRST, the Forum of Incident Response and Security Teams. An international confederation of computer incident response teams, FIRST writes the CVSS specification that plays such an important role in identifying and cataloging software and application vulnerabilities.
After almost two months of public preview, CVSS 4.0 will be prepared for official rollout in the fourth quarter of 2023, and the U.S. National Vulnerability Database is expected to support its publication. CVSS 4.0 sees significant updates from the current version, 3.1, including “provider provided urgency” (sort of like vendor scores), an increased focus on ‘environmental scores’, a new severity score definition, and a host of other factors.
What’s new in CVSS 4.0?
FIRST identified a number of challenges and critiques of CVSS 3.1 that the release of CVSS 4.0 addresses to improve its precision, usability, and comprehensiveness, with better representation of real-world risk. With that in mind, the following changes have been made:
- Finer granularity in base metrics. More detail was added through the addition of several new measurements. Attack Complexity reflects the exploit engineering complexity required to evade or circumvent defensive or security-enhancing technologies. Attack Requirements reflect the prerequisite conditions of the vulnerable component that makes an attack possible. Finally, Enhanced User Interaction granularity was added.
- Retirement of the Scope metric. Scope sought to measure the ability of a vulnerability in one software component to impact resources beyond its means, or privileges, but it caused inconsistent scoring between product providers and implied lossy compression of impacts of vulnerable and impacted systems. Instead, impact and C/I/A (confidentiality, integrity, and availability) metrics have been expanded into two sets:
- Vulnerable System Confidentiality, Integrity, and Availability
- Subsequent System Confidentiality, Integrity, and Availability
- Simplified threat metrics and improved scoring impact. Remediation Level, Report Confidence, and Exploit Code Maturity were simplified to Exploit Maturity.
- Supplemental metrics. These describe and measure the following additional extrinsic attributes of vulnerabilities to improve response accuracy.
- Automatable: Can an attacker automate the exploitation of a vulnerability?
- Recovery: This measures the resilience of a component or system to recover services after an attack, identified as automatic recovery, user recovery that requires manual intervention, or irrecoverable.
- Value density. The resources over which an attacker will gain control with a single exploitation event, either diffuse (small) or concentrated (rich in resources).
- Vulnerability response effort. This measures how difficult it is for consumers to respond to the impact of vulnerabilities for deployed products and services in their infrastructure on a scale of low, medium, and high. They can consider this when applying mitigations and/or scheduling remediation.
- Provider urgency. This enables any provider along the software supply chain to supply an additional assessment of risk and urgency on a green/amber/red scale of rising severity. It is recommended that the penultimate product provider in the supply chain is best positioned to supply such an assessment.
- Additional applicability to operational technology (OT), internet connection sharing (ICS), and the Internet of Things (IoT)
- Safety Metric Values added to Environmental Metrics.
FIRST recommends the following to get the most benefit from the CVSS:
- Use databases and data feeds to automate the enrichment of your vulnerability data, such as the NVD for base metric values, asset management databases for environmental metric values, and threat intelligence data for threat metric values.
- Use these important attributes to create new views into vulnerability data:
- Support teams responsible for resolution
- Critical applications
- Internal- vs. external-facing components and applications
- Business units
- Regulatory requirements
How should you best use CVSS 4.0?
Like its predecessors, CVSS 4.0 is designed to help you understand the impact of Common Vulnerability and Exposures (CVE) encountered in your software development pipeline. With its new capabilities, we encourage your developers and DevSecOps teams to use the CVSS as frequently as possible throughout the software development lifecycle (SDLC). Version 4.0’s enhanced clarity, flexibility, granularity, and usability make it an even more valuable tool for identifying vulnerabilities and assessing their risks and threats.
In particular, CVSS 4.0’s enhanced ability to assess factors like context, urgency, and resilience will increase risk measurement accuracy. Mend.io welcomes this more risk-based and real-world iteration of CVSS as it perfectly aligns with our vision of prioritizing security findings based on the actual threat they represent in a specific context. In our pursuit of minimizing false positives, we always encourage teams to consider each vulnerability in the context of its usage, because vulnerabilities have differing impacts in different circumstances. Therefore, knowing how particular vulnerabilities behave in different situations helps establish true threat severity and lets teams better prioritize those most in need of remediation. That’s where version 4.0 can help and it’s why its repeated use, even to reassess vulnerabilities previously assessed earlier in the SDLC, should be beneficial.
The changes to CVSS should further improve companies’ vulnerability management when hardening AppSec postures. To that end, it’s important for application security companies such as Mend.io to support and promote CVSS 4.0 from the day it’s incorporated into the NVD. We will be taking the upcoming changes into account to help ensure that our vulnerability database is as accurate as possible to deliver precision and value from our base SCA product and knowledge base, our container solution, and our platform, especially when it comes to remediation advice.
New precision and in particular better ease of use should make CVSS 4.0 more essential to application security and the way software and application security issues are detected and remediated. We look forward to its official publication towards the end of the year.
