search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

A Stakeholder-Specific Vulnerability Categorization

Podcast
By
Eric Hatleback, Allen Householder, and Jonathan Spring, vulnerability and incident researchers in the SEI CERT Division, discuss SSVC and also take audience members through a sample scoring vulnerability.
Publisher

Software Engineering Institute

Subjects

Listen

Watch

Abstract

Many organizations use the Common Vulnerability Scoring System (CVSS) to prioritize actions during vulnerability management. This podcast—which highlights the latest work in prioritizing actions during vulnerability management—presents a testable Stakeholder-Specific Vulnerability Categorization (SSVC) that avoids some problems with the CVSS. SSVC takes the form of decision trees for different vulnerability management communities. Eric Hatleback, Allen Householder, and Jonathan Spring, vulnerability and incident researchers in the SEI CERT Division, discuss SSVC and also take audience members through a sample scoring vulnerability.

An updated version of SSVC is now available: https://resources.sei.cmu.edu/library/asset-view.cfm?assedit=653459 

About the Speaker

Headshot of Allen Householder

Allen D. Householder

Allen D. Householder is a senior vulnerability researcher in the CERT Division of Carnegie Mellon University's Software Engineering Institute. Householder's research interests include applications of complex systems theory and machine learning to software and system security, fuzzing, and modeling of information sharing and trust among cybersecurity responders.

 

Read more
Headshot of Eric Hatleback

Eric Hatleback

Eric Hatleback is a vulnerability researcher in the CERT Division of Carnegie Mellon University’s Software Engineering Institute. Hatleback earned his doctorate from the University of Pittsburgh’s Department of History and Philosophy of Science. Hatleback’s research interests include scientific methodology (understanding the justification for scientific inferences and assumptions), science of security …

Read more

Jonathan Spring

Jonathan Spring is an SEI alumni employee.

Jonathan Spring is a senior member of the technical staff with the CERT division of the Software Engineering Institute (SEI) at Carnegie Mellon University. Spring began working at the SEI in 2009. Prior posts include adjunct professor at the University of Pittsburgh’s School …

Read more
SHARE

Supplemental Materials

Download Transcript
Related Links
CERTCC Blog Post | Prioritizing Vulnerability Response with a Stakeholder-Specific Vulnerability Categorization
Ask a question about this Podcast