Vulnerability Score

(Metric) for Tier: Product

Organizational Goal

Provides insight into the Cybersecurity risk of the applications we deliver to our customers, more specifically for known vulnerabilities.

Quantitative Goal

Zero Critical and High Vulnerabilities

Visual Display of Measure

Metric Description

Common Vulnerability Scoring System (CVSS), is a vulnerability scoring system designed to provide an open and standardized method for rating IT vulnerabilities. CVSS helps organizations prioritize and coordinate a joint response to security vulnerabilities by communicating the base, temporal and environmental properties of a vulnerability. For additional information on CVSS v2, please see http://www.first.org/cvss and http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2

Collection Method, Frequency and Storage

• Automated via a build pipeline enabled technology such as WhiteSourceBolt, Sonar Cube, or other organizationally approved tooling
• Collection frequency is at least once per sprint
• Azure DevOps build pipeline artifacts

Data Integrity

• The data for this report is generated automatically when a development team Integrate Changes
• The Lead Developer and Build Engineer ensure the tools are working correctly (e.g. Licenses expire or network issues.)

Analysis Method

Rank Common Vulnerabilities and Exposure’s (CVE) by CVSS Severity Score. CVE’s with a score of “Critical” or “High” need to be triaged.

Reporting Distribution and Frequency

To determine which roles are included in communication of measurement data, review the Responsible and Accountable for following activities:

• Conduct Monthly Status Review
• Analyze Project Metrics

USED IN

• Conduct Monthly Status Review
• Analyze Project Metrics
• Integrate Changes

SEE ALSO

Process Guidance Version: 10.4