What are ASVS and CVSS?
When vulnerabilities are returned back into the Uleska Platform by the configured automated security tools and scripts, the Uleska Platform has the ability to capture two categorizations for each vulnerability:
- CVSS (Common Vulnerability Scoring System [v3]) which is used to determine the technical scope and impact of a vulnerability, for example how an actor can exploit the issue, what scope the issue has, how it can affect the confidentiality, integrity, or availability of the system data. You can find an extensive description of CVSS at https://www.first.org/cvss/specification-document and a useful calculator at https://www.first.org/cvss/calculator/3.1
- ASVS (OWASP Application Security Verification Standard [v4.0.2]) which contains around 300 categories for security vulnerabilities and allows for each issue to be grouped into categories. This is a popular security categorization standard used around the world. You can find out more about the OWASP ASVS standard at https://owasp.org/www-project-application-security-verification-standard/
Many security tools and scripts will mark a CVSS value for vulnerabilities they return to the Uleska Platform, though not all will do so. It's possible for tools to associate issues with an ASVS category, though many will not do so. Where a CVSS or ASVS value is returned by a security tool or script, the Uleska Platform will use that value and associate it with the vulnerability.
How Uleska Platform Uses ASVS and CVSS
The Uleska Platform can continue to operate and report issues in the absence of either ASVS or CVSS, however having this information enhances what the Uleska Platform can report in terms of risk and informing on categories of issues to address.
The CVSS is used as part of the cyber value-at-risk calculation, along with the configuration of the application and data sensitivity. If this is missing, the risk value for an issue will not be calculated.
The ASVS is used in the Analytics tab to advise on the highest risk categories you are experiencing and can work to reduce.
Both the ASVS and CVSS are included in output reports via PDF, CSV, and JSON via the API.
How the Uleska Platform can Learn ASVS and CVSS
As mentioned, some tools will not return an ASVS or CVSS value. In this case, you can teach the Uleska Platform the ASVS and CVSS settings you would like it to set for issues. As issues are returned that do not have a setting, you can add those values through the user interface, and Uleska will learn your categorizations for both ASVS and CVSS, so that anytime a similar vulnerability is returned into the Uleska platform, it will automatically be marked as the same category.
This means you do not need to continually set an ASVS or CVSS value for every issue (which would become unmanageable), instead you set it once against an issue, and for every other issue that matches (same tool, title, description) the Uleska Platform will automatically allocate that same ASVS or CVSS value. You can reset these values at any time.
For the same issues found in future scans, they will automatically have the values set. For existing issues that are the same, you can have the Uleska Platform update in two ways:
-
When viewing the list of vulnerabilities for a version, you can click the small calculator icon (with the label 'Recalculate') on the right-hand side of an issue, which will cause it to update the risk score and CVSS/ASVS values if they've been set.
-
You can ask the Uleska Platform to regenerate the risk values for all issues in all applications, which will also use updated CVSS settings. To do this click on the 'Configuration' menu, and under the 'Value at Risk' tab, scroll to the bottom and click 'Save & Recalculate'.
Setting ASVS and CVSS
The values for ASVS and CVSS can be set through the user interface when viewing the issues in a results set (clicking on 'Results' for a tested version).
To set the ASVS or CVSS:
- Identify the issue you wish to have ASVS or CVSS set for, and click Edit
- To change the ASVS, click Change under the ASVS box
- This will open a window for you to choose the ASVS category you wish to have this issue identified as. There is a search box at the top to quickly find your category.
- Choose the ASVS category and click the 'Back' button to save.
- To change the CVSS, click on the 'Change' button below the CVSS field. This will present you with a CVSS screen allowing you to select the various fields for a CVSS v3 setting.
- When you have selected settings for each CVSS category, the associated CVSS score and string will be shown on the top left. Click the 'Back' button to save.
For more information on CVSS and prioritizing the technicality of security bugs, go to https://www.first.org/.