search menu icon-carat-right cmu-wordmark

A Stakeholder-Specific Vulnerability Categorization

October 2020 Podcast
Allen D. Householder, Eric Hatleback, Jonathan Spring

Eric Hatleback, Allen Householder, and Jonathan Spring, vulnerability and incident resesarchers in the SEI CERT Division, discuss SSVC and also take audience members through a sample scoring vulnerability.

“They [SSVC's decision trees] are not decision trees that are just fit on a big data set, and you run some...algorithm over it and get a decision tree out of it. It is actually based on experts sitting around a table and understanding the problem.” “ ”

Publisher:

Software Engineering Institute

Listen

Watch

Abstract

Many organizations use the Common Vulnerability Scoring System (CVSS) to prioritize actions during vulnerability management. This podcast—which highlights the latest work in prioritizing actions during vulnerability management—presents a testable Stakeholder-Specific Vulnerability Categorization (SSVC) that avoids some problems with the CVSS. SSVC takes the form of decision trees for different vulnerability management communities. Eric Hatleback, Allen Householder, and Jonathan Spring, vulnerability and incident resesarchers in the SEI CERT Division, discuss SSVC and also take audience members through a sample scoring vulnerability.

About the Speaker

Allen D. Householder

Allen D. Householder

Allen D. Householder is a senior vulnerability researcher in the CERT Division of Carnegie Mellon University's Software Engineering Institute. Householder's research interests include applications ...

Allen D. Householder is a senior vulnerability researcher in the CERT Division of Carnegie Mellon University's Software Engineering Institute. Householder's research interests include applications of complex systems theory and machine learning to software and system security, fuzzing, and modeling of information sharing and trust among cybersecurity responders.

 

Read more
Jonathan Spring

Jonathan Spring

Jonathan Spring is a senior member of the technical staff with the CERT division of the Software Engineering Institute (SEI) at Carnegie Mellon University. Spring began working at the SEI in 2009. ...

Jonathan Spring is a senior member of the technical staff with the CERT division of the Software Engineering Institute (SEI) at Carnegie Mellon University. Spring began working at the SEI in 2009. Prior posts include adjunct professor at the University of Pittsburgh’s School of Information Sciences and research fellow for the ICANN’s Security and Stability Advisory Committee (SSAC). At the SEI, Spring’s work focuses on producing reliable evidence for various levels of cybersecurity policies. Spring’s approach to work balances leading by example with reflecting on study design and other philosophical issues. Spring earned a doctoral degree in computer science from University College London.

Read more