Tripwire adds support for CVSS Version 3.0

Industry-leading vulnerability management solution supports updated vulnerability scoring standard.

  • 9 years ago Posted in
Tripwire has included 'comprehensive platform support' for Common Vulnerability Scoring System (CVSS) version 3.0 in Tripwire® IP360TM, making it easy to share vulnerability and risk information across organizations.
CVSS is a universal open, standardized system for rating IT vulnerabilities and determining the urgency of response. CVSS is developed by The Forum of Incident Response and Security Teams (FIRST) and the most recent version has been under development since 2012. CVSS 3.0 includes several new metrics designed to improve the accuracy of the standard including metrics that more clearly reflect new attack vectors and recent changes in the threatscape.
In addition to CVSS 3.0 support, Tripwire IP360 is the industry leader in comprehensive and customizable vulnerability scoring solutions. Tripwire IP360 uses a unique scoring model that provides a distinction between vulnerable conditions by using an atomic measurement of risk that changes over time based on factors that are independent of the system or network that exhibits the vulnerability. Tripwire’s scoring model also incorporates the unique business context of each asset.
“The Tripwire Vulnerability Score allows customers to prioritize vulnerabilities for remediation at a granular level, but it’s important to also represent vulnerability risk in industry standard metrics,” said Tim Erlin, director of IT risk and security strategy for Tripwire. “CVSS is a key metric across industries and Tripwire’s support for CVSS 3.0, the Tripwire Vulnerability Score and summary reporting gives customers the ability to measure and manage risk at multiple levels and for multiple audiences and demonstrates our continuing leadership in vulnerability management scoring.”
CVSS is an open framework designed to clearly communicate the characteristics and impacts of IT vulnerabilities. It uses a quantitative model designed to provide a consistent, standardized and transparent measurement system for IT vulnerabilities which can be used across industries, organizations and governments.
New CVSS 3.0 features include:
  • Exploitability metrics are now calculated separately for vulnerable and impacted components. These distinctions are important in many web application and cross-site vulnerabilities as well as escapes from sandboxes and guest virtual machines.
  • The attack vector metric now includes physical access as a possible value to more accurately describe attacks that require physical access to a vulnerable subsystem.
  • The authentication metric has been changed and is now referred to as the privileges required metric. It reflects the greatest privileges required by an attacker.
  • The impact metric has shifted from quantitative to qualitative values.
  • The new vulnerability chaining metric offers guidance on scoring multiple vulnerabilities.
Research shows ‘game needs to be changed,’ with security innovation years behind that of the...
73% of organizations lack automated patch management, and 62% experienced incidents involving...
Quest Software has signed a definitive agreement with Clearlake Capital Group, L.P. (together with...
Dell EMC PowerProtect Cyber Recovery for AWS provides a fast, easy-to-deploy public cloud vault to...
Aqua’s cloud native application protection platform becomes the only solution that protects cloud...
54% of organisations working on a security transformation project now or in the next 12 months.
Node4 has released its Mid-Market IT Priorities Report 2021. The independent report reveals that...
Zscaler Zero Trust exchange cloud-based architecture enables superior green security capabilities...