Security Basics mailing list archives
Graphing CVSS scores for reports and presentations
From: "Mitchell, Sean HE0" <smitchell () health gov sk ca>
Date: Wed, 19 Mar 2008 16:46:00 -0600
Hi List, I am looking for ideas on how to visually represent a group of CVSS scores, something easy to understand for management and non technical users. These visual representations generally appear in the recommendations section of a report, and are listed one right after the other for all vulnerabilities contained in the report. Previously in our reports, we had our own internal ranking system. Each vulnerability was given a score calculated on impact, likelihood, measures in place, availability, etc. 1-10 was green, 11-15 was orange, and 15-20 was red. Anyone looking at the report can immediately understand that the red need to be dealt with first. The problem is representing the three areas of the CVSS score clearly: While a vulnerability may get 'red' in the base area, it may be 'green' in the environmental group. On the other hand, something that is orange in the base group may score 'red' in the environmental group, which leads to difficulty in understanding the graphics. When writing a report, how do you communicate the severity of the found vulnerabilities? TIA -sean Sean Mitchell, Technical Security Analyst
Current thread:
- Graphing CVSS scores for reports and presentations Mitchell, Sean HE0 (Mar 20)