CVSS In-Depth: Can You Trust The World's Most Popular Vulnerability Metric?

There are a number of metrics that can be used to get a better understanding of the vulnerabilities that may be present in software. There is the Common Weakness Scoring System (CWSS), the Exploitability Index (EI), and the National Vulnerability Database (NVD) which includes the Common Vulnerability Enumeration (CVE). With all of the metrics how do you determine what vulnerabilities exist in your software? In this session, we will explain some of the most used metrics in security and walk through real-world CVE examples, highlighting instances and entire categories where CVSSv3.1 falls short of providing an accurate score, both due to its design and its various flaws. The session will also cover specific indicators in the CVE description that can increase the confidence in a CVSS rating, and vice versa.