[Context] The CVSS framework provides several dimensions to score vulnerabilities. The environmental metrics allow security analysts to downgrade or upgrade vulnerability scores based on a company’s computing environments and security requirements. [Question] How difficult is for a human assessor to change the CVSS environmental score due to changes in security requirements (let alone technical configurations) for PCI-DSS compliance for networks and systems vulnerabilities of different type? [Results] A controlled experiment with 29 MSc students shows that given a segmented network it is significantly more difficult to apply the CVSS scoring guidelines on security requirements with respect to a flat network layout, both before and after the network has been changed to meet the PCI-DSS security requirements. The network configuration also impact the correctness of vulnerabilities assessment at system level but not at application level. [Contribution] This paper is the first attempt to e...
Estimating the assessment difficulty of CVSS environmental metrics: An experiment / Allodi, L.; Biagioni, S.; Crispo, B.; Labunets, K.; Massacci, F.; Medeiros Dos Santos, Wagner. - n. 10646/2017:(2017), pp. 23-39. ( 4th International Conference on Future Data and Security Engineering, FDSE 2017 Ho Chi Minh City; Viet Nam; 29 November 2017 through 1 December 2017) [10.1007/978-3-319-70004-5_2].
Estimating the assessment difficulty of CVSS environmental metrics: An experiment
Allodi L.;Biagioni S.;Crispo B.;Labunets K.;Massacci F.;Medeiros Dos Santos, Wagner
2017-01-01
Abstract
[Context] The CVSS framework provides several dimensions to score vulnerabilities. The environmental metrics allow security analysts to downgrade or upgrade vulnerability scores based on a company’s computing environments and security requirements. [Question] How difficult is for a human assessor to change the CVSS environmental score due to changes in security requirements (let alone technical configurations) for PCI-DSS compliance for networks and systems vulnerabilities of different type? [Results] A controlled experiment with 29 MSc students shows that given a segmented network it is significantly more difficult to apply the CVSS scoring guidelines on security requirements with respect to a flat network layout, both before and after the network has been changed to meet the PCI-DSS security requirements. The network configuration also impact the correctness of vulnerabilities assessment at system level but not at application level. [Contribution] This paper is the first attempt to e...| File | Dimensione | Formato | |
|---|---|---|---|
|
Estimating ....pdf
Solo gestori archivio
Tipologia:
Post-print referato (Refereed author’s manuscript)
Licenza:
Tutti i diritti riservati (All rights reserved)
Dimensione
1.31 MB
Formato
Adobe PDF
|
1.31 MB | Adobe PDF | Visualizza/Apri |
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione
