As a penetration tester, you have uncovered several security flaws within your client's network infrastructure. In order to systematically convey the severity of each finding in your report, you must adhere to an industry-standard risk rating framework. Which of the following would best allow for a consistent and quantitative expression of vulnerability severity that can be understood by both technical and non-technical stakeholders?
Relying on the Common Weakness Scoring System (CWSS) to measure the risk level of each weakness without factoring in environmental metrics
Developing an algorithmic risk matrix that combines asset value, threat capability, and vulnerability severity tailored to the client
Employing the Common Vulnerability Scoring System (CVSS) to apply a numerical and qualitative severity level to each vulnerability
Calculating severity based on the average cost of incidents associated with similar vulnerabilities in the past year
The Common Vulnerability Scoring System (CVSS) offers a way to rate the severity of vulnerabilities in a standardized manner, providing scores that correspond to a qualitative severity ranking. By applying CVSS, you are able to communicate the severity of vulnerabilities in a uniform way that is independent of proprietary methodologies or the potentially subjective measure of impact to the specific organization. This is the accepted industry practice for reporting severity in penetration testing and is expected knowledge for professionals. Other methods may not provide the standardization needed or could introduce confusion if the stakeholders are not familiar with a custom scoring system.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the Common Vulnerability Scoring System (CVSS)?
Open an interactive chat with Bash
Why is it important to have a standardized method like CVSS for reporting vulnerabilities?
Open an interactive chat with Bash
What are some limitations of other scoring systems, like the Common Weakness Scoring System (CWSS)?