CVSS score is widely used as the standard-de-facto risk metric for vulnerabilities, to the point that the US Government itself encourages organizations in using it to prioritize vulnerability patching. We tackle this approach by testing the CVSS score in terms of its efficacy as a "risk score" and "prioritization metric." We test the CVSS against real attack data and as a result, we show that the overall picture is not satisfactory: the (lower-bound) over-investment by using CVSS to choose what vulnerabilities to patch can as high as 300% of an optimal one. We extend the analysis making sure to obtain statistically significant results. However, we present our results at a practical level, focusing on the question: "does it make sense for you to use CVSS to prioritize your vulnerabilities?"
Luca Allodi received his Master Degree in Information Security from the University of Milan in 2011. Back in 2005, during the last years of high school he was co-founder and CEO of Area-Software, a start-up for web development and IT consultancy in Brescia, his hometown. The experience with Area-Software continued for more than six years, until his enrollment as a Ph.D. student at the University of Trento, Italy, where Luca is currently located. His research interests are focused on the economics of vulnerability exploitation and how these could be used as a proxy for risk measurement and assessment. His work already received multiple international recognitions, among which a best paper award for his work on attack models, international grants for first-tier conferences, and was one of the two selected candidates chosen by his own University to participate in an international highly-competitive academic challenge by Google. He is part of the research group UNITN at the FP7 European Projects SECONOMICS and NESSOS, and at the PRIN Project TENACE.
Fabio Massacci received a M.Eng. in 1993 and Ph.D. in Computer Science and Engineering at University of Rome "La Sapienza" in 1998. He spent a year in Cambridge working with L. Paulson and R. Needham on security protocols verification. He joined University of Siena as Assistant Professor in 1999, and was visiting researcher at IRIT Toulouse in 2000, and joined Trento in 2001 where is now full professor. His research interests are in security requirements engineering, formal methods and computer security. He has co-authored more than 100 papers on peer-reviewed journals and international conferences. His h-index is f(t,x) (where t is time and x depends on Scopus, Google-Scholar, the Firefox plug-ins etc. etc.). Jointly with W. Joosen he co-founded ESSOS the Engineering Secure Systems and Software Symposium that aims at bringing together security and software engineering researchers and practitioners. ESSOS is held in-cooperation with ACM SIGSAC, ACM SIGSOFT, and IEEE TCSP. He has been administrative or scientific coordinator for integrated projects on security (S3MS, MASTER) and is coordinator of another integrated project on security engineering for evolvable systems (SecureChange). He participates also in ANIKETOS, EFFECTS+ and NESSOS projects. Till 2008 he was deputy rector for ICT procurements and services at Trento, a past-time with 70 members of staff and 5M Euro yearly budget. This gave him an incredible advantage for an ICT researcher: being also a customer of ICT solutions that never really works as advertised, and thus spurring him to new research ideas.