Date Published: July 2012
Planning Note (7/10/2012):
NISTIR 7864 was originally posted for public comment as Draft NISTIR 7517 (February 2009).
Author(s)
Elizabeth LeMay (University of Illinois at Urbana-Champaign), Karen Scarfone (Scarfone Cybersecurity), Peter Mell (NIST)
The Common Misuse Scoring System (CMSS) is a set of measures of the severity of software feature misuse vulnerabilities. A software feature is a functional capability provided by software. A software feature misuse vulnerability is a vulnerability in which the feature also provides an avenue to compromise the security of a system. Such vulnerabilities are present when the trust assumptions made when designing software features can be abused in ways that violate security. Misuse vulnerabilities allow attackers to use for malicious purposes the functionality that was intended to be beneficial. CMSS can provide measurement data to assist organizations in making sound decisions on addressing software feature misuse vulnerabilities and in conducting quantitative assessments of the overall security posture of a system. This report defines proposed measures for CMSS and equations to be used to combine the measures into severity scores for each vulnerability. The report also provides examples of how CMSS measures and scores would be determined for selected software feature misuse vulnerabilities.
The Common Misuse Scoring System (CMSS) is a set of measures of the severity of software feature misuse vulnerabilities. A software feature is a functional capability provided by software. A software feature misuse vulnerability is a vulnerability in which the feature also provides an avenue to...
See full abstract
The Common Misuse Scoring System (CMSS) is a set of measures of the severity of software feature misuse vulnerabilities. A software feature is a functional capability provided by software. A software feature misuse vulnerability is a vulnerability in which the feature also provides an avenue to compromise the security of a system. Such vulnerabilities are present when the trust assumptions made when designing software features can be abused in ways that violate security. Misuse vulnerabilities allow attackers to use for malicious purposes the functionality that was intended to be beneficial. CMSS can provide measurement data to assist organizations in making sound decisions on addressing software feature misuse vulnerabilities and in conducting quantitative assessments of the overall security posture of a system. This report defines proposed measures for CMSS and equations to be used to combine the measures into severity scores for each vulnerability. The report also provides examples of how CMSS measures and scores would be determined for selected software feature misuse vulnerabilities.
Hide full abstract
Keywords
security measurement; trust misuse; vulnerability measurement; vulnerability scoring
Control Families
Configuration Management; Risk Assessment