A Stakeholder-Specific Vulnerability Categorization
Many organizations use the Common Vulnerability Scoring System (CVSS) to prioritize actions during vulnerability management. This podcast—which highlights the latest work in prioritizing actions during vulnerability management—presents a testable Stakeholder-Specific Vulnerability Categorization (SSVC) that avoids some problems with the CVSS. SSVC takes the form of decision trees for different vulnerability management communities. Eric Hatleback, Allen Householder, and Jonathan Spring, vulnerability and incident researchers in the SEI CERT Division, discuss SSVC and also take audience members through a sample scoring vulnerability.
An updated version of SSVC is now available: https://resources.sei.cmu.edu/library/asset-view.cfm?assedit=653459
About the Speaker
Allen D. Householder is a senior vulnerability researcher in the CERT Division of Carnegie Mellon University's Software Engineering Institute. Householder's research interests include applications of complex systems theory and machine learning to software and system security, fuzzing, and modeling of information sharing and trust among cybersecurity responders.
Eric Hatleback is a vulnerability researcher in the CERT Division of Carnegie Mellon University’s Software Engineering Institute. Hatleback earned his doctorate from the University of Pittsburgh’s Department of History and Philosophy of Science. Hatleback’s research interests include scientific methodology (understanding the justification for scientific inferences and assumptions), science of security …Read more
Jonathan Spring is an SEI alumni employee.
Jonathan Spring is a senior member of the technical staff with the CERT division of the Software Engineering Institute (SEI) at Carnegie Mellon University. Spring began working at the SEI in 2009. Prior posts include adjunct professor at the University of Pittsburgh’s School …Read more