How CVSS is DOSsing Your Patching Policy - and Wasting Your Money

Explore a critical analysis of the Common Vulnerability Scoring System (CVSS) in this Black Hat USA 2013 conference talk. Delve into the effectiveness of CVSS as a risk metric and prioritization tool for vulnerability patching. Examine real attack data to assess the practical implications of using CVSS scores for security decision-making. Learn about the potential over-investment risks associated with CVSS-based patching strategies, which can reach up to 300% of an optimal approach. Gain insights into the statistical significance of the findings and their practical applications. Evaluate whether CVSS is truly an effective method for prioritizing vulnerability management in your organization. Cover topics such as vulnerability assessment, data set analysis, exploitability factors, case control studies, sensitivity and specificity comparisons, and the impact of CVSS scores on patching policies.

Introduction
Vulnerabilities
What is CVSS
Double Vision
Insecurity
Data Sets
Distribution
Exploitability
Case Control Study
Comparison
Example
Sensitivity
Sensitivity vs Specificity
Pacing
Visualizing CVSS
Patching Policy
National Grid
Batches
Shock Analysis
CVSS Score
Temporal Scores
Temporal Information