Ph.D. Student Sasha Romanosky Discusses IT Vulnerabilities

In the Emerging Standards section of the November/December issue of IEEE Security and Privacy, Heinz School Ph.D. student Sasha Romanosky and his colleagues Peter Mell and Karen Scarfone discuss the successes and challenges of our IT vulnerability scoring system (CVSS).

"Vendors have historically used proprietary methods for scoring software vulnerabilities, usually without detailing their criteria or processes. The Common Vulnerability Scoring System (CVSS) is a public initiative designed to address this issue by presenting a framework for consistently and accurately assessing and quantifying software vulnerabilities' impact on organizations." (Peter Mell, Karen Scarfone, Sasha Romanosky, "Common Vulnerability Scoring System," IEEE Security and Privacy, vol. 4, no. 6, pp. 85-89, Nov/Dec, 2006.)

A second article, "Managing and Auditing IT Vulnerabilities", is the 6th in the series of Global Technology Audit Guides, sponsored by the Institute of Internal Auditors, an international professional organization of more than 120,000 members. In this publication, Romanosky and his co-authors discuss IT vulnerabilities. "Vulnerability management is a set of processes that an organization employs to identify, assess, and mitigate business risks arising from the deployment and use of IT assets and processes. This guide was developed to help Chief Audit Executives assess the effectiveness of their organization's vulnerability management processes. It recommends specific practices to guide an organization toward achieving and sustaining higher levels of effectiveness and efficiency. After reading this guide, you will have a working knowledge of vulnerability management processes, and the ability to quickly differentiate between high- and low-performing vulnerability management organizations."

The article can be viewed at http://www.theiia.org/index.cfm?doc_id=5596