CVSS and Oval Industry Standards Support

Common Vulnerability Scoring System (CVSS)
CVSS stands for Common Vulnerability Scoring System, the emerging open standard for vulnerability scoring (using a scale of 1 – 10). CVSS was commissioned by the National Infrastructure Advisory Counsel (NIAC) and is currently maintained by FIRST. CVSS is widely supported by security organizations and vendors including: CERT, Mitre, Cisco, Symantec, Microsoft and Qualys.

Several factors are taken into consideration when measuring the CVSS score for a vulnerability, including:

BASE Score: Inherent threat of the vulnerability
  • Vulnerability allows an attacker access to confidential information
  • Vulnerability permits an attacker to modify data or allows an attacker to carry out a denial of service attack
Temporal Score: Time of vulnerability's existence
  • Time since a vulnerability was discovered
Environmental Metrics: User environment variables
  • Vulnerability is remotely exploitable or requires access to passwords
   

Click to enlarge

Open Vulnerability and Assessment Language (OVAL) is an international standard to check for the presence of vulnerabilities and configuration issues on computer systems. QualysGuard supports OVAL versions 4.0 and 4.1.

QualysGuard subscribers can now:
  • Add OVAL vulnerabilities to the QualysGuard KnowledgeBase
  • Scan and report on OVAL vulnerabilities
   

Click to enlarge

Back to QualysGuard 4.5 Overview

On Demand Security