Scoring IT Vulnerabilities

Heinz School PhD student Sasha Romanosky, along with Peter Mell and Karen Scarfone, discuss the applicability of the Common Vulnerability Scoring Systems (CVSS) to Federal Agency Systems in a National Institute Standards and Technology (NIST) Interagency Report (NIST-IR7435).

Romanosky holds a Bachelor of Science degree in Electrical Engineering from the University of Calgary, Canada. He has been working with internet and security technologies for over 10 years, predominantly within the financial and e-commerce industries at companies such as Morgan Stanley and eBay. He is coauthor of "J2EE Design Patterns Applied" and "Security Patterns: Integrating Security and Systems Engineering" and has published other works on information security.  He developed the FoxTor tool for anonymous web browsing and is co-developer of CVSS.

CVSS is a vulnerability scoring system designed to provide an open and standardized method for rating IT vulnerabilities. CVSS helps organizations prioritize and coordinate a joint response to security vulnerabilities by communicating the base, temporal and environmental properties of a vulnerability. CVSS Version 2 was published in June of 2007. It represents the collective efforts of industry professionals and academia researchers to improve the flexibility and usability of this IT vulnerability scoring system.

NIST is a non-regulatory federal agency within the U.S. Department of Commerce. NIST's mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.