We (The SAP Product Security Response Team) have received many questions from our customers on how SAP uses the Common Vulnerability Scoring System, also known as CVSS. This blog is the first post in a series that aims to provide an insight into CVSS and how it is used in SAP.

Background: In the last 5 years, SAP has been using CVSS to communicate the severity of vulnerabilities fixed in SAP security notes. SAP security notes are released on the second Tuesday of every month, known as SAP security patch days. We also use CVSS to prioritize our engineering effort internally to triage product security vulnerabilities. SAP is an active member of the CVSS Special Interest Group (SIG), and actively contributes to the development of CVSS version 3.0, the latest CVSS version.

What is CVSS?

CVSS is an open, vendor-neutral, technology-independent framework for communicating the characteristics and severity of software vulnerabilities. In practice, CVSS scores can be used to rate the severity of security vulnerabilities. CVSS can be applied to a very wide-range of software products including operating systems, web applications, security products (like firewalls, antivirus software), databases, etc.

CVSS consists of three metric groups: Base, Temporal, and Environmental. In-depth details of these metric groups can be found here. SAP focuses on the Base metric group only, because we believe it will bring the most value to our customers, and represents the intrinsic characteristics of a vulnerability. The Base metric group is constant over time and across user-environments.

Evolution of CVSS

CVSS was initially announced in February 2005 on the U.S. Department of Homeland Security website. From its introduction, CVSS underwent two major revisions under the custodial ownership of FIRST (Forum of Incident Response and Security Teams). As of writing this blog, the current version is CVSS version 3.0 released in June 2015.

Why you should start using CVSS?

CVSS offers the following three benefits for a software vendor like SAP   to convey the severity of a fixed vulnerability to its customers:

1) It provides standardized vulnerability severity scores.  This helps an organization in making informed decisions to schedule an appropriate patch window based on vulnerability severity.

2) It provides an open framework. Users may be confused when a vulnerability is assigned with an arbitrary score by a third party. With CVSS, the individual characteristics used to derive a score are transparent.

3) CVSS helps in risk prioritization. When the CVSS Environmental metric score is computed (typically done by end-user organizations because they are best able to assess the potential impact of a vulnerability within their own computing environment), the vulnerability becomes contextual to each organization, and helps provide a better understanding of the risk posed by the vulnerability to the organization

Additional points to keep in mind:

• Presence of un-patched vulnerabilities with a CVSS score of 4.0 or higher will have negative impact to PCI (Payment Card Industry Data Security Standard) compliance.
• International Telecommunication Union (ITU) recommends the usage of CVSS for vulnerability severity rating.

How SAP uses CVSS?

To provide transparency to our customers, security note priority is now calculated entirely based on CVSS v3 Base metric score.

Also, SAP uses CVSS version 3.0 Base score for vulnerability prioritization in our products. We believe it is critical for us to ensure time taken to provide a fix for vulnerability is in inverse proportion to the CVSS score of the vulnerability, such that a high CVSS score will yield to the least time to provide a fix to our customers. This prioritization also has an effect to the ‘downporting’ requirements – i.e. to how many legacy versions of the software we supply a patch.

For more information:

The CVSS version 3.0 documents are available online on FIRST’s website at https://www.first.org/cvss

Related blog posts:

Changes to CVSS in version 3.0

How to interpret SAP's CVSS score?