Table of Contents

Security Training on CVSS Environmental Metrics

The Security Group of the University of Trento, with the support of Oracle Community for Security, Clusit, and Aused holds a training day for security professionals on the Common Vulnerability Scoring System (CVSS), the worldwide standard for software vulnerability scoring.

The presentation is free-of-charge and capped at <NUMBER> participants, and will be hold at Oracle’s offices on the <DATE>, in Milan, Cinisello Balsamo, Italy.

The presentation day includes:

The course and all material will be held in English.

What follows is an activity description of the apresentation. For any information feel free to contact cvsstraining.disi@unitn.it.

Introduction to the CVSS

The Common Vulnerability Scoring System is the gold standard in the industry for assessing vulnerabilities in software.

CVSS was born in 2004, became the standard de facto in 2007 with his second release, and updated in June 2015 with the third, CVSS v3 - which is now the reference metric.

Its use is prescribed by international best practices and standards such as NIST 800-30 and PCI-DSS, and is used in popular vulnerability assessment and penetration testing tool, both fundamental in every security assessment activities.

The proper use of CVSS and its correct interpretation are therefore key factors in any organization with an eye to security.

Environmental Metrics in CVSS

The Environmental Metric Group reflects the company-specific environmental conditions in which the affected software is deployed. This accounts for alternative controls in place that mitigate the capabilities of an attacker in reaching and exploiting the vulnerability, and other organizational characteristics (e.g., how critical the vulnerable system is to the business)

For example in classical PCI compliance procedures the network is segmented and card information may be only used with system with a CVSS score lower than 4. What about the score of vulnerabilities in systems outside the critical segment of the network? The CVSS environment allows to downgrade the score. This may and may not be the right thing to do.

The aim of the event is to provide a brief introduction to the CVSS environment metrics as well as a discussion of the possible limits of the environment metrics (or its automation).

Profile of participants

Presentation is offered to professionals of the security organization of each sector.

It is also required:

Registration procedure.

Contact the Oracle Security Community: securityCommunity_it@oracle.com

Agenda