Authors:Ibifubara Iganibo¹;Massimiliano Albanese¹;Kaan Turkmen¹;Thomas R. Campbell¹ andMarc Mosko²

Affiliations:¹Center for Secure Information Systems, George Mason University, Fairfax, U.S.A.;²Palo Alto Research Center, U.S.A.

Keyword(s):Vulnerability Analysis, Security Metrics, Software Weaknesses.

Abstract:One of the first lines of defense against cyberattacks is to understand and evaluate the weaknesses and vulnerabilities that a system exposes to malicious users. To address this need, several scoring systems have been developed, providing security analysts and practitioners with a means of quantifying the severity of common weaknesses and vulnerabilities found in software. However, these scoring systems rely on predefined notions of risk, use fixed equations to compute numerical scores, and do not provide users with the flexibility to fine-tune such equations or factor in new variables altogether. Furthermore, official scores and rankings are updated infrequently, making them less valuable in a rapidly evolving cybersecurity landscape. In this paper, we present the Mason Vulnerability Scoring Framework, a comprehensive and customizable framework for scoring vulnerabilities and ranking common weaknesses that gives users significant control over the scoring and ranking process.