Fact Sheet: Common Vulnerability Scoring System (CVSS)

PDF Download

General

Short description/
Transmitted information

The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities. CVSS consists of three metric groups: Base, Temporal, and Environmental. The Base group represents the intrinsic qualities of a vulnerability that are constant over time and across user environments, the Temporal group reflects the characteristics of a vulnerability that change over time, and the Environmental group represents the characteristics of a vulnerability that are unique to a user's environment. The Base metrics produce a score ranging from 0 to 10, which can then be modified by scoring the Temporal and Environmental metrics. A CVSS score is also represented as a vector string, a compressed textual representation of the values used to derive the score.

Normative document

Version/ Release state

  • CVSS version 3.1
Release date
  • Released in June 2019
Application scope
  • Static Testing on Embedded ECUs and Software Components: Static testing is performed on binaries of embedded Electronic Control Units (ECUs) and other software-related components, such as infotainment systems. Testers can apply CVSS to assess critical vulnerabilities based on the software bill of material (SBOM). The CVSS scores help in prioritizing vulnerabilities and guide remediation efforts before deployment.
  • Dynamic Testing on Components, Systems, and Full Vehicles: During dynamic testing, testers actively interact with the system to identify vulnerabilities. CVSS is then used to evaluate the criticality of these vulnerabilities in the context of an actively running system. This approach provides a real-world assessment of security risks and aids in making informed decisions.
Goals
  • Higher degree of shift left of efforts to achieve realistic rating of vulnerabilities in the development process.
  • Enhancing testing coverage and quality due to realistic vulnerability scoring and advanced testing preparation and execution.
Promoting bodies
  • ISO/SAE 21434, UNECE R155, R156
Type
  • ISO Standard
IT Standard classification
  • Process and Methods Standard
Data format
  • n.a.
Additional available resources
  • China Security Law
Relevant prostep ivip project groups
  • n.a.

Positioning of CVSS in V-Model


Details

Cybersecurity testing is paramount in today's automotive industry, especially in light of ISO/SAE 21434 to implement a cyber security by design approach. This standard necessitates comprehensive evaluation of automotive systems to identify vulnerabilities and ensure robust protection against cyber threats. Implementing effective cybersecurity testing methodologies is essential to safeguard both vehicles and passengers.

  • Design of vehicle items definition
  • Assessment of threats and risks (TARA)
  • Evaluation of critical vulnerabilities and attack paths
  • Extensive testing on functions and penetration test to uncover unknown vulnerabilities

Relevance and Benefit for MBSE

  • Cyber Security by design based on vehicle architecture
  • Model based approach for TARA and testing to support continuous validation