Common Vulnerability Scoring System (CVSS)

What is the Common Vulnerability Scoring System (CVSS)?

The Common Vulnerability Scoring System is a framework developed by the Forum of Incident Response and Security Teams (FIRST). The CVSS framework enables organizations to evaluate the various vulnerabilities present in the hardware, software, and firmware and assess their severity. 

Metrics used in CVSS

Each vulnerability is scored between 0-10, and three major metrics determine this score. These metrics are derived from multiple factors known as vectors which highlight the different facets of the vulnerability. The three metrics are:

Base metric

The base metric is determined based on the intrinsic characteristics of the vulnerability. These characteristics will be constant over time and in different computer and organizational environments. It comprises two parts: 

• Exploitability metrics: These determine how easily and effectively a vulnerability can be exploited.
• Impact metrics: These determine the impact on the systems if the vulnerability is successfully exploited.

Temporal metric

The temporal metric or score gauges factors that can change over time. For instance, the temporal score will decrease if the software has a vulnerability for which an official patch is created. However, the temporal score will be much higher if an exploit kit is used for the vulnerability.

Environmental Metric

The environmental score depends on the characteristics of a vulnerability which will vary from one environment to another. For instance, the kind of security measures set in place by an organization to mitigate a vulnerability can impact the environmental score.

Challenges of securing Kubernetes clusters

The security of Kubernetes clusters is one of the biggest concerns of DevOps engineers. Default configurations across the environment, container images, runtime processes, and more come with several vulnerabilities that engineers must solve. One of the biggest challenges to mitigating the vulnerabilities is CVE Shock. 

CVE Shock is a state wherein engineers are overloaded with numerous vulnerabilities in the Kubernetes environment but do not know how to prioritize the vulnerabilities for the mitigation process. This leads to the following issues:

• Vulnerabilities with low severity might get solved before ones with higher severity
• An increased attack surface means more opportunities to exploit weaknesses in the Kubernetes environment. 
• Confidential and sensitive data might leak and be exploited
• System recovery will become slow

CVSS enables engineers and organizations to better address the challenges mentioned above.

Applying CVSS to Kubernetes

CVSS must be applied to Kubernetes vulnerabilities, which in turn become Common Vulnerabilities and Exposures (CVEs) with a known severity. This enables engineers to gauge the severity of CVEs, and manually prioritize their mitigation accordingly.

Benefits of using CVSS in Kubernetes

• Standardization and consistency: With CVSS, the process of assessing vulnerabilities and their severity is standardized. This gives DevOps engineers an idea of what they are dealing with.

• Prioritization and updates: The CVSS help streamline the mitigation process as the engineers can prioritize security patches, updates, and other countermeasures based on the security scores. That being said, they are not the single metric by which prioritization should happen. Relevancy and the context in which they are running must be addressed too.

• Enhanced assessment and decision-making process: The risk assessment and mitigation process becomes simpler and more straightforward with the CVSS scores. The security scores help engineers to make the right decisions and take countermeasures in accordance with them.

Best practices for utilizing CVSS in Kubernetes

• Learn about the CVSS scoring system and the components of its different metrics. The base, temporal, and environmental metrics comprise multiple components that gauge the different characteristics of the vulnerability. Understand the significance of all characteristics to use the CVSS system most effectively.
  
• Scan the Kubernetes environment for vulnerabilities on a regular basis. Identify these vulnerabilities and use CVSS to assess their severity.

• Based on the CVSS scores across stages, deploy countermeasures and remediation strategies to mitigate the vulnerabilities. 

• Add the security score to the context of your infrastructure to prioritize the remediation actions.

CVSS limitations and considerations in Kubernetes

• CVSS scores are subjective due to the various factors in determining the score. Furthermore, since all environments are not the same and the Kubernetes configuration differs from one environment to another based on the architecture, it’s difficult to have a standard outlook of the CVSS scores. 

• Furthermore, CVSS only showcases the severity of the vulnerability and not the risk associated with it. Based on the environment, the risk varies, and CVSS doesn’t measure that perspective of the risk factor.

• Kubernetes is a unique containerization platform with distinct security challenges and vulnerabilities. The CVSS can not always assess these vulnerabilities and their corresponding risk.

Summary

CVSS is a framework that enables engineers to understand the severity of vulnerabilities associated with a system. However, CVSS is also subjective as it doesn’t gauge the risks associated with the vulnerabilities and cannot accurately assess the Kubernetes-related risks, which differ from one environment to another. Hence CVSS must be used along with other contextual information, to ensure a comprehensive analysis and assessment of vulnerabilities.