The latest version of the Common Vulnerability Scoring System, CVSS 4.0, entered its public preview phase at the 35th annual FIRST conference put on by FIRST, the Forum of Incident Response and Security Teams. An international confederation of computer incident response teams, FIRST writes the CVSS specification that plays such an important role in identifying and cataloging software and application vulnerabilities.
After almost two months of public preview, CVSS 4.0 will be prepared for official rollout in the fourth quarter of 2023, and the U.S. National Vulnerability Database is expected to support its publication. CVSS 4.0 sees significant updates from the current version, 3.1, including “provider provided urgency” (sort of like vendor scores), an increased focus on ‘environmental scores’, a new severity score definition, and a host of other factors.
FIRST identified a number of challenges and critiques of CVSS 3.1 that the release of CVSS 4.0 addresses to improve its precision, usability, and comprehensiveness, with better representation of real-world risk. With that in mind, the following changes have been made:
FIRST recommends the following to get the most benefit from the CVSS:
Like its predecessors, CVSS 4.0 is designed to help you understand the impact of Common Vulnerability and Exposures (CVE) encountered in your software development pipeline. With its new capabilities, we encourage your developers and DevSecOps teams to use the CVSS as frequently as possible throughout the software development lifecycle (SDLC). Version 4.0’s enhanced clarity, flexibility, granularity, and usability make it an even more valuable tool for identifying vulnerabilities and assessing their risks and threats.
In particular, CVSS 4.0’s enhanced ability to assess factors like context, urgency, and resilience will increase risk measurement accuracy. Mend.io welcomes this more risk-based and real-world iteration of CVSS as it perfectly aligns with our vision of prioritizing security findings based on the actual threat they represent in a specific context. In our pursuit of minimizing false positives, we always encourage teams to consider each vulnerability in the context of its usage, because vulnerabilities have differing impacts in different circumstances. Therefore, knowing how particular vulnerabilities behave in different situations helps establish true threat severity and lets teams better prioritize those most in need of remediation. That’s where version 4.0 can help and it’s why its repeated use, even to reassess vulnerabilities previously assessed earlier in the SDLC, should be beneficial.
The changes to CVSS should further improve companies’ vulnerability management when hardening AppSec postures. To that end, it’s important for application security companies such as Mend.io to support and promote CVSS 4.0 from the day it’s incorporated into the NVD. We will be taking the upcoming changes into account to help ensure that our vulnerability database is as accurate as possible to deliver precision and value from our base SCA product and knowledge base, our container solution, and our platform, especially when it comes to remediation advice.
New precision and in particular better ease of use should make CVSS 4.0 more essential to application security and the way software and application security issues are detected and remediated. We look forward to its official publication towards the end of the year.