CSSV3 and Compliance Checks / Hardening Guides

edited February 2018 in Off-topic

In the day as a security person i see things like common vulnerabilities witch are described with Common Vulnerability Scoring System Version 3.0 (CVSSv3) like https://www.first.org/cvss/calculator/3.0 . And then there are Common Hardening Guides like Windows Security Baselines https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-security-baselines and CIS Benchmarks (for Linux,Windows,Databases,xxx) https://www.cisecurity.org/cis-benchmarks/

Would you recommend to describe the "Compliance Checks",100-300 per system, in the CVSSv3 Vector (or is that nonsense)? For example entries in https://www.cisecurity.org/wp-content/uploads/2017/04/CIS_Microsoft_Windows_Server_2012_R2_Benchmark_v2.2.0.pdf

thx ;)

~ r4bit



  • I've never personally had a client ask for a CVSS -> Hardening mapping, nor have I seen it in any report I've commissioned with external companies. I'm not entirely sure the effort required to do that would be worth what you'd get out of it, otherwise I'm sure I'd have come across it before.

  • that is the same thing what i think - its nonsense to do that. How would you prioritize 200 hardening checks?


Sign In to comment.