Take a sneak peek at the new NIST.gov and let us know what you think!
(Please note: some content may not be complete on the beta site.).
NIST Authors in Bold
|Author(s):||Peter M. Mell; Karen Scarfone;|
|Title:||The Common Configuration Scoring System (CCSS): Metrics for Software Security Configuration Vulnerabilities|
|Published:||December 27, 2010|
|Abstract:||The Common Configuration Scoring System (CCSS) is a set of measures of the severity of software security configuration issues. CCSS is derived from the Common Vulnerability Scoring System (CVSS), which was developed to measure the severity of vulnerabilities due to software flaws. CCSS can assist organizations in making sound decisions as to how security configuration issues should be addressed and can provide data to be used in quantitative assessments of the overall security posture of a system. This report defines proposed measures for CCSS and equations to be used to combine the measures into severity scores for each configuration issue. The report also provides several examples of how CCSS measures and scores would be determined for a diverse set of security configuration issues.|
|Citation:||NIST Interagency/Internal Report (NISTIR) - 7502|
|Keywords:||security configuration, security measurement, vulnerability measurement, vulnerability scoring|
|Research Areas:||Threats & Vulnerabilities, Information Technology, Computer Security|
|PDF version:||Click here to retrieve PDF version of paper (286KB)|