WhiteHat Security Adds CVSS to Its Sentinel Security SaaS Product

Given the volume and scope of security vulnerabilities, organizations must prioritize these risks in order to deal with them effectively. As the name implies, the Common Vulnerability Scoring System (CVSS) is a universal, open and standardized method for rating IT vulnerabilities according to their base, temporal and environmental properties. It is designed to help organizations prioritize and coordinate response to security threats.

Now, WhiteHat Security has added the CVSS to WhiteHat Sentinel, its industry-leading cloud-based web security service. Users now have the option to view CVSS scores in addition to WhiteHat Sentinel’s current Findings scoring system to judge severity and prioritize website vulnerabilities for remediation.

“This release brings CVSS, the industry’s standardized security vulnerability scoring system, to the WhiteHat Sentinel website vulnerability management platform,” said Terry Shidla, CISSP, Milestone Systems. “WhiteHat Sentinel is a complete, cost-effective solution for the continuous protection of website operations of any scale. Unlike traditional website scanning software, WhiteHat Sentinel combines an advanced, cloud-based security platform with the team of security experts at the WhiteHat Security Threat Research Center. The addition of CVSS gives organizations another tool they can use to systematically remediate security threats.”

Breaking down the Risk

Supported by the National Institute of Standards and Technology and the National Vulnerability Database, CVSS is an independent vulnerability measurement used by many IT professionals in a variety of industries to gauge security risks. Scores are based on 3 components:

• base metrics,
• temporal metrics and
• environmental metrics.

The base metric component is available in WhiteHat Sentinel and includes the following criteria for determining the severity of a vulnerability:

• Access Vector — What access is needed to exploit the vulnerability?
• Access Complexity — How difficult is it to perform the exploit?
• Authentication — How many times does a user need to authenticate to get to the exploit?
• Confidentiality Impact — What information is being leaked upon successful exploit?
• Integrity Impact — What damage can the attacker do to the site’s integrity?
• Availability Impact — Effect on the availability of the system. Will a successful exploit result in reduced performance of a resource or take it down completely?

“By offering CVSS scores, WhiteHat Sentinel provides its customers access to an industry standard vulnerability scoring system within Sentinel, which can help them better understand the risks imposed by website vulnerabilities and manage the remediation process more effectively,” said Ravi Iyer, vice president of product management, WhiteHat Security. “By combining this industry standard with WhiteHat’s own Findings scoring system in Sentinel, we are able to help companies prioritize website security, whether they have 10 websites or 10,000.”

Time-Saving Tool

WhiteHat Security offers one of the most robust web application scanning solutions available. WhiteHat Sentinel is a web-based service that combines advanced proprietary scanning technology with expert analysis, enabling customers to identify, prioritize, manage and remediate website vulnerabilities as they emerge. Sentinel’s Software-as-a-Service platform offers organizations a more effective way to measure, monitor and manage website vulnerability remediation as part of a holistic approach to security.

“WhiteHat Sentinel’s API enables customers to integrate WhiteHat’s vulnerability data with development software, bug-tracking systems, and security information systems,” said Shidla. “This allows development teams to work with existing software development tools while assessing and managing web application vulnerabilities. Additionally, developers can initiate their own retests of vulnerabilities discovered by Sentinel from within their preferred software platforms, saving them valuable time. This is critical for large enterprises that have a broad range of web sites with development teams spread out across geographical areas that all need access to vulnerability information.”

Now a part of user preferences, CVSS scores of individual vulnerabilities can be displayed on the Executive Summary, Site Summary or the Findings pages within Sentinel. They are also available in the Vulnerability Detail, Attack Vector and PCI Reports (web and PDF versions).

For more information on CVSS visit the National Vulnerability Database at http://nvd.nist.gov/ or call Milestone Systems, Inc.