Simplified CVSS 2.0 for End User and Development team

Transcription

1 International Journal of Latest Technology in Engineering & Management (IJLTEM) ISSN: Simplified CVSS 2.0 for End User and Development team Vishal Ojha #1, Chetan Patil #2, Vishak Nambiar #3 Department of Computer Engineering, University of Mumbai. Lokmanya Tilak College of Engineering, Koparkhairane, Navi Mumbai, India ABSTRACT: The CVSS 2.0 aims at generating the Score for the vulnerability which occurs whiles the development process or after the development of the software. These vulnerabilities may prove to be a threat when the software is reaching the end user. The Common Vulnerability Scoring System (CVSS) provides an open framework for communicating the characteristics and the impact of IT vulnerabilities. While, the development of software or any IT project completes, and that project turns out to be an open invitation to multiple vulnerabilities across the many different Hardware and Software platforms. The CVSS score cannot be understood by the end user as it has complex equations and multiple score calculations. The underlying aim behind the effort is to generate an Enhanced, Portable and Simplified CVSS Calculator using the Android Platform and also providing the software development and testing team with an open environment to share and get solution for their problems. This paper focuses on the conceptual details for developing Simplified CVSS which will be helpful for a variety of users. Keywords: CVSS, Vulnerability, Score, Android,Simplified. INTRODUCTION Level agreement (SLA) that states how quickly a particular vulnerability must be validated and remediated. Open Framework: Users can be confused when vulnerability is assigned an arbitrary score. Which properties gave it that score? How does it differ from the one released yesterday? With CVSS, anyone can see the individual characteristics used to derive a score. Prioritized Risk: When the environmental score is computed, the vulnerability now becomes contextual. That is, vulnerability scores are now representative of the actual risk to an organization. Users know how important a given vulnerability is in relation to other vulnerabilities What is CVSS? CVSS is composed of three metric groups: Base, Temporal, and Environmental, each consisting of a set of metrics, as shown in Figure 1. [3] Currently, IT management must identify and assess malwares across many disparate hardware and software platforms [1]. They need to prioritize these vulnerabilities and remediate those that pose the greatest risk. But when there are so many to fix, with each being scored using different scales, how can IT managers convert this mountain of vulnerability data into actionable information? The Common Vulnerability Scoring System (CVSS) is an open framework that addresses this issue. It offers the following benefits [2]: Standardized Vulnerability Scores: When an organization normalizes vulnerability scores across all of its software and hardware platforms, it can leverage a single vulnerability management policy. This policy may be similar to a service based application which is targeted for the home based an application developer who brings out unique works to the ever growing world of technology. The homebrew community for all platforms has drastically increased in the past decade. The applications that are being developed don t always go through the Volume 2 Issue 4 page 1

2 required vulnerability test. This leaves the end user to face problems on day to day bases. The CVSS 2.0 intends to provide the homebrew community and the industry sectors to have a better understanding of the vulnerabilities the applications can have while using it. Fig 1: CVSS Metric Group These metric groups are described as follows: Base: Represents the intrinsic and fundamental characteristics of vulnerability that are constant over time and user environments. Temporal: Represents the characteristics of vulnerability that change over time but not among user environments. Environmental: Represents the characteristics of vulnerability that are relevant and unique to a particular user s environment. The purpose of the CVSS base group is to define and communicate the fundamental characteristics of vulnerability. This objective approach to characterizing vulnerabilities provides users with a clear and intuitive representation of vulnerability. Users can then invoke the temporal and environmental groups to provide contextual information that more accurately reflects the risk to their unique environment. This allows them to make more informed decisions when trying to mitigate risks posed by the vulnerabilities How does CVSS work? When the base metrics are assigned values, the base equation calculates a score ranging from 0 to 10, and creates a vector, as illustrated below in Figure 2. The vector facilitates the Open nature of the Framework. It is a text string that contains the values assigned to each metric, and it is used to communicate exactly how the score for each vulnerability is derived. Therefore, the vector should always be displayed with the vulnerability score. Fig 2: CVSS Metric Equation SOLUTION ON PROBLEM There are a number of other vulnerability scoring systems managed by both commercial and non-commercial organizations. They each have their merits, but they differ by what they measure. For example, CERT/CC produces a numeric score ranging from 0 to 180 but considers such factors as whether the Internet infrastructure is at risk and what sort of preconditions are required to exploit the vulnerability. The SANS vulnerability analysis scale considers whether the weakness is found in default configurations or client or server systems [4]. Microsoft s proprietary scoring system tries to reflect the difficulty of exploitation and the overall impact of the vulnerability. While useful, these scoring systems provide a one-size-fits-all approach by assuming that the impact for vulnerability is constant for every individual and organization. Volume 2 Issue 4 page 2

3 The CVSS score cannot be understood by the end user as it has complex equations and multiple score calculations. Thus, in order to help the development team and also the end user to understand the scoring system and also to calculate the level of the vulnerability themselves, we intend to generate this simplified version of the CVSS.CVSS 2.0 has a set of equations for each metric group as mentioned below. [5] PROBLEM DEFINITION The CVSS 2.0 aims at generating the Score for the vulnerability which occurs while the development process or after the development of the software. These vulnerabilities may prove to be a threat when the software is reaching the end user. The CVSS score cannot be understood by the end user as it has complex equations and multiple score calculations. Thus, in order to help the development team and also the end user to understand the scoring system and also to calculate the level of the vulnerability themselves we intend to generate this simplified version of the CVSS. The CVSS 2.0 is an android be made available and Score Storage facility for up to a month. BaseScore [*] = round_to_1_decimal (((0.6*Impact) + (0.4*Exploitability) 1.5)*f (Impact)) *: The equation is As per Version 2.10 This equation is comprised of complex terms as we can clearly see. In order to simplify these complex terms we intend to design a set of questioner that would have a set of options using which user can indirectly fill the values in the equation and also generate the score. The available calculator is based on the online platform via which the highly professional users can determine the score of the vulnerability. Now-a-days, many people are turned in to developers developing software at home place. An online application is not always handy when it comes to using it while on a tour or offline. With the help of this idea we intend to design an offline calculator which can be used even when the user of the application is offline. The entire system is based on Android Platform (JAVA Core).The Front end is based on the Android Codes developed using Android Studio. The primary GUI Layout is Extended Tab Layout based on XML codes. GUI is User Friendly Consisting of a Log-in and a Sign up Area which is directly connected to the IRC base Database developed using MySQL and PHP. The calculator is divided in to three tabs for each Metric Calculators viz. Base, Temporal & Environmental. At Each stage The Graphical/Vector Result is displayed using the Bar Graph developed using the MPAndroidChart Library of Development as shown in Figure 3[6]. The Latest Material Design Library is used where in the Extended Tab layout is followed for the Simple GUI as Shown in Figure 4. The Database is IRC based supporting the Android Studio codes designed using the MySQL and PHP as the major Backend Tools. The Application is made to Support Any Android Smartphone running on the Android Version 4.0 and more i.e. Ice- Cream Sandwich. Volume 2 Issue 4 page 3

4 START Calculate Overall Score BaseScore Defined? OverallScore = Base Score Environmental Score Defined? OverallScore = Environmental Score Temporal Score Defined? Volume 2 Issue 4 page 4

5 Figure3:MPAndroidChart Bar Graph used as the Vector display for the Results Simplified CVSS 2.0 for End User and Development team The Figure 1 and Figure 2 describe the System Functioning and the calculation to be used while computing the results. The Overall Calculation flow is given in the below flowchart Figure 4. The developers are developing new software s and application on a daily basis as a result of this an Open ICR Chat menu will be made available using which the developers all over the globe may be able to Share their problem and solutions for queries put up, also a printable document of the scores will OverallScore = Temporal Score Return OverallScore STOP Figure 4: Overall Calculation flow CONCLUSION In today s era of technological advancement every single minute a new Software is developed by developers, this leads to a huge open market for Attackers to attack the newly developed software and steal or leak important data being used by the same. On the other hand the software developers being clueless about the Vulnerabilities occurring on a minor scale turn out to be a mess for them. These vulnerabilities are presented in a language using jargons which few app testers and Software Professional understand as a result to increase the productivity of the software development and Helping the developer to calculate and understand the Vulnerabilities himself and work out we intended to develop the Simplified version. In addition to this the Offline Calculator will be a portable device helping the people to calculate the score at any place. Inclusion of chat room will help people all over the globe to share and find solution to their problems and also get exposed to new ideas generating place in the software industry and help the developers to solve their issues and help to improve the technology being used currently. We also realize that no one scoring system will fit everyone's needs perfectly. The particular metrics used in CVSS were identified as the best compromise between completeness, ease-of-use and accuracy. They represent the cumulative experience of the CVSS Special Interest Group members as well as extensive testing of real world vulnerabilities in end-user environments. As CVSS matures, these metrics may expand or adjust, making the scoring even more accurate, flexible and representative of modern vulnerabilities and their risks. REFERENCE [1] Introduction to malware and vulnerabilities by Asim Khawaja, A TechEx Session Oct 29, [2] A complete Guide to the Common Vulnerability Scoring System Version 2.0 by Peter Mell, Karen Scarfore, National Institute of Standards and Technology accompanied by Sash Romanosky, Carnegie Mellon University Dated: July,2007 [3] A Software Vulnerability Rating Approach Based on the Vulnerability Database by Jian Luo, Kueiming Lo, and Haoran Qu, School of Software, Tsinghua University, Beijing , China, Received 14 March 2014; Accepted 14 May 2014; Published 29 May [4] SANS Institute. SANS Critical Vulnerability Analysis Archive. Undated [cited 16 March 2007]. URL: [5] Qualys publishes vulnerability references that include both CVSS base and temporal scores. These can be found at Volume 2 Issue 4 page 5

6 [6] [7] The Common Vulnerability Scoring System Mike Schiffman, Cisco Systems, The RSA Conference, February 2005 [8] Mike Schiffman, Gerhard Eschelbeck, David Ahmad, Andrew Wright, Sasha Romanosky, "CVSS: A Common Vulnerability Scoring System", National Infrastructure Advisory Council (NIAC), Volume 2 Issue 4 page 6