A Stakeholder-Specific Vulnerability Categorization
October 2020 • Podcast
Allen D. Householder, Eric Hatleback, Jonathan Spring
Eric Hatleback, Allen Householder, and Jonathan Spring, vulnerability and incident researchers in the SEI CERT Division, discuss SSVC and also take audience members through a sample scoring vulnerability.
Listen
Watch
Abstract
Many organizations use the Common Vulnerability Scoring System (CVSS) to prioritize actions during vulnerability management. This podcast—which highlights the latest work in prioritizing actions during vulnerability management—presents a testable Stakeholder-Specific Vulnerability Categorization (SSVC) that avoids some problems with the CVSS. SSVC takes the form of decision trees for different vulnerability management communities. Eric Hatleback, Allen Householder, and Jonathan Spring, vulnerability and incident researchers in the SEI CERT Division, discuss SSVC and also take audience members through a sample scoring vulnerability.
An updated version of SSVC is now available: https://resources.sei.cmu.edu/library/asset-view.cfm?assedit=653459
About the Speaker
Allen D. Householder
Allen D. Householder is a senior vulnerability researcher in the CERT Division of Carnegie Mellon University's Software Engineering Institute. Householder's research interests include applications ...
Allen D. Householder is a senior vulnerability researcher in the CERT Division of Carnegie Mellon University's Software Engineering Institute. Householder's research interests include applications of complex systems theory and machine learning to software and system security, fuzzing, and modeling of information sharing and trust among cybersecurity responders.
Jonathan Spring
Jonathan Spring is a senior member of the technical staff with the CERT division of the Software Engineering Institute (SEI) at Carnegie Mellon University. Spring began working at the SEI in 2009. ...
Jonathan Spring is a senior member of the technical staff with the CERT division of the Software Engineering Institute (SEI) at Carnegie Mellon University. Spring began working at the SEI in 2009. Prior posts include adjunct professor at the University of Pittsburgh’s School of Information Sciences and research fellow for the ICANN’s Security and Stability Advisory Committee (SSAC). At the SEI, Spring’s work focuses on producing reliable evidence for various levels of cybersecurity policies. Spring’s approach to work balances leading by example with reflecting on study design and other philosophical issues. Spring earned a doctoral degree in computer science from University College London.