Software vulnerabilities — love em or hate em, they’re crucial to your job. Likewise, you may have a love/hate relationship with vulnerability classification and severity scoring (like CVSS v2 or any number of proprietary methods). In this talk we will look at statistics and characteristics for thousands of vulnerabilities to see if we can determine what CVSS v2 did wrong, what it did right, and what we (the CVSS v3 Special Interest Group) intend to do to fix it. We will also come away with a better understanding for why systems like CVSS are important to security practitioners, even those who’d rather be popping shells than pushing off patches whose scores are “too low to care about”.
Seth Hanford manages Cisco’s TRAC team, whose members use Cisco’s expansive security intelligence resources to detect and respond to threats and generate original research on a wide array of security topics. Prior to this role, he worked for more than a decade in vulnerability and threat intelligence. Between his roles as a Security Analyst for Cisco’s vulnerability database service (IntelliShield) and as an Incident Manager on it’s Product Security Incident Response Team (PSIRT), he has reviewed and scored thousands of security vulnerabilities in a wide range of software products. In 2005 he began contributing to the Common Vulnerability Scoring System v2 working group, and in 2011 accepted a nomination to chair the special interest group tasked with developing CVSS version 3. @SethHanford / blogs.cisco.com/tag/trac/ Cisco