Security Training on CVSS Environmental Metrics

The Security Group of the University of Trento, with the support of Oracle Community for Security, Clusit, and Aused holds a training day for security professionals on the Common Vulnerability Scoring System (CVSS), the worldwide standard for software vulnerability scoring.

The presentation is free-of-charge and capped at <NUMBER> participants, and will be hold at Oracle’s offices on the <DATE>, in Milan, Cinisello Balsamo, Italy.

The presentation day includes:

• Introduction in CVSS (Basic and Environmental).
• Demo scoring presentation with interaction with the lecturer.
• Individual scoring and group discussion with some case study.
• Presentation of automation tools (SCAP/ORACLE), Protocol to Automate the Collection of Vulnerability Data.
• Discussion on key features automated tools should have/improvement suggestions for CVSS environment metrics.

The course and all material will be held in English.

What follows is an activity description of the apresentation. For any information feel free to contact cvsstraining.disi@unitn.it.

The Common Vulnerability Scoring System is the gold standard in the industry for assessing vulnerabilities in software.

CVSS was born in 2004, became the standard de facto in 2007 with his second release, and updated in June 2015 with the third, CVSS v3 - which is now the reference metric.

Its use is prescribed by international best practices and standards such as NIST 800-30 and PCI-DSS, and is used in popular vulnerability assessment and penetration testing tool, both fundamental in every security assessment activities.

The proper use of CVSS and its correct interpretation are therefore key factors in any organization with an eye to security.

The Environmental Metric Group reflects the company-specific environmental conditions in which the affected software is deployed. This accounts for alternative controls in place that mitigate the capabilities of an attacker in reaching and exploiting the vulnerability, and other organizational characteristics (e.g., how critical the vulnerable system is to the business)

For example in classical PCI compliance procedures the network is segmented and card information may be only used with system with a CVSS score lower than 4. What about the score of vulnerabilities in systems outside the critical segment of the network? The CVSS environment allows to downgrade the score. This may and may not be the right thing to do.

The aim of the event is to provide a brief introduction to the CVSS environment metrics as well as a discussion of the possible limits of the environment metrics (or its automation).

Presentation is offered to professionals of the security organization of each sector.

It is also required:

• A basic knowledge of the different types of vulnerabilities such as XSS, Privilege Escalation, SQL injection, buffer overflow in memory, etc.
• Knowledge of English (to read the definitions!).
• Basic knowledge about Common Vulnerability Scoring System with respect to evaluation methodology for basic metrics.

Contact the Oracle Security Community: securityCommunity_it@oracle.com

• 09:30 - 10:00 Introduction in CVSS (Basic and Environmental).
• 10:00 - 10:30 Demo scoring presentation with interaction with the lecturer.
• 10:30 - 10:45 Break
• 10:45 - 12:45 Individual scoring and group discussion with some case study.
• 12:45 - 14:30 Pause Lunch
• 14:30 - 15:30 Presentation of automation tools (SCAP/ORACLE), Protocol to Automate the Collection of Vulnerability Data.
• 15:30 - 16:30 Discussion on key features automated tools should have/improvement suggestions for CVSS environment metrics.