Understanding vulnerabilities in security testing

Imagine a vast, complex building with countless doors. Some lead to empty rooms, some to treasure troves of data, and others yet to more doors. These doors are application vulnerabilities, each representing a potential point of weakness that could be exploited by individuals with malicious intent. Security testing is the meticulous process of examining each door to determine what lies behind it and how it can be secured.

Navigating the landscape of cybersecurity is increasingly crucial as we confront the growing threat of cybercrime. To grasp the magnitude of this challenge, it’s essential to recognize that the cost of cybercrime is on a steep rise, projected to reach $10.5 trillion annually by 2025, up from $6 trillion in 2021, according to estimates from Cybersecurity Ventures. This surge highlights the urgency of securing every door – each vulnerability in our systems. 

This article will guide you through the concept of vulnerabilities using the door analogy, delve into the importance of measuring these vulnerabilities with the Common Vulnerability Scoring System (CVSS), and finally, discuss how to prioritize fixing them based on their CVSS scores.

The door analogy explained

In cybersecurity, vulnerabilities are essentially the doors through which attackers can gain unauthorized access to a system’s valuable contents. Like doors, vulnerabilities can vary greatly in their design, lock mechanisms (security measures), and what they protect. They represent different areas of testing, such as authorization and authentication, code injection and many more. Security experts, much like skilled locksmiths, assess each door to see if it can be opened, using a variety of tools and techniques at their disposal.

a corridor full of different doors representing vulnerabilities points in security testing

Envisioning types of doors – Test areas

The points listed below are based on the OWASP Top 10 vulnerability list for 2023. It’s important to note that these examples represent just a fraction of potential security vulnerabilities within web applications.

  • Broken Access Control Doors: Doors with a lock meant to restrict entry to certain individuals. However, this door has been improperly installed, allowing anyone to lift it off its hinges. Testing here focuses on ensuring that only those with the right keys (authorization) can pass through.
  • Cryptographic Failures Doors: Envision these as vault doors intended to protect precious jewels. Due to flaws in the vault’s design, like a visible combination lock or a weak spot in the door, unauthorized individuals can see or access what’s inside. Testing ensures that the vault is secure, with its contents accessible only to those with the correct combination (authorized users).
  • Code Injection Doors: Imagine these as decontamination chamber doors, designed to prevent hazardous materials from leaking. However, if these doors have cracks or unsealed gaps (representing improper sanitization of inputs), toxic substances (malicious code) can seep through, contaminating the area. Testing aims to find and seal these gaps to prevent any leakage.
  • Insecure Design Doors: Think of these as doors that don’t quite fit their frames, either too large or too small, leaving gaps for intruders to exploit. This represents the absence of a secure design philosophy, where the door (security measures) does not properly match the framework it’s meant to protect. Testing involves evaluating and adjusting the design to ensure no unwanted gaps exist.
  • Security Misconfiguration Doors: Imagine a castle gate left ajar due to a forgotten closing routine or because the gate’s locking mechanism was never properly configured. This door invites attackers straight into the castle. Testing here involves checking that the gate is not only closed but also securely locked, with all unnecessary pathways firmly barricaded.

Security professionals employ both automated tools and manual testing to try and open these metaphorical doors. If a door opens (a vulnerability is found), it’s crucial to assess both the ease with which it can be opened and the value of what lies behind it.

Measuring vulnerabilities: The role of CVSS

Not all doors are equal, some lead to critical system controls or sensitive user data, while others might open to less significant areas. The Common Vulnerability Scoring System (CVSS) is a standardized framework that helps in assessing the severity of vulnerabilities. It considers factors like the complexity of the exploit, the level of privileges required, and the impact on confidentiality, integrity, and availability.

a corridor full of different doors with various security systems and locks

Breaking down CVSS scores

CVSS scores vulnerabilities on a scale from 0 to 10, 0 indicates no vulnerability, while scores closer to 10 indicate increasing levels of severity. The score is composed of several metrics:

Base Score

Assesses the inherent qualities of a vulnerability that are constant over time and across user environments.This includes:

  • Attack Vector (AV): This metric reflects how the vulnerability can be exploited. For example, whether the attacker needs physical access, or if the attack can be conducted over a network. 
  • Attack Complexity (AC): Indicates the complexity of the attack required to exploit the vulnerability. It considers factors like the number of steps needed or the specificity of the conditions required.
  • Privileges Required (PR): Measures the level of privileges an attacker must possess for successful exploitation.
  • User Interaction (UI): Determines whether the exploitation of the vulnerability requires actions from a user, such as clicking a malicious link.
  • Scope (S): Indicates whether the vulnerability can affect resources beyond its security scope (e.g., a vulnerability in one software component enabling attacks on another component).
  • Impact Metrics (Confidentiality, Integrity, Availability): Assesses the direct impact of the exploit on the system’s confidentiality, integrity, and availability.

Temporal Score

Reflects the aspects of the vulnerability that may change over time but not across user environments. This includes:

  • Exploit Code Maturity (E): The level of availability and maturity of exploit code or techniques.
  • Remediation Level (RL): The level of fix available for the vulnerability, ranging from official patches to temporary fixes.
  • Report Confidence (RC): The degree of confidence in the existence of the vulnerability and the accuracy of the known details.

Environmental Score

Personalizes the CVSS base score according to the importance of the affected system to a particular user’s environment, and considers:

  • Security Requirements (Confidentiality, Integrity, Availability): Adjusts the impact metrics based on the security requirements of the affected system.
  • Modified Base Metrics: Allows adjustment of the base score metrics to better reflect the impact within the specific environmental context.

Below is a table outlining how CVSS base scores correlate with vulnerability severity levels:

Vulnerability SeverityCVSS Base Score
None0.0
Low0.1 – 3.9
Medium4.0 – 6.9
High7.0 – 8.9
Critical9.0 – 10.0

Online calculators are available to accurately determine the CVSS score for a specific vulnerability, for example: National Vulnerability Database, Calculator.

Real-world vulnerability example

Description: Unauthorized Admin Access in a Health Care System. This vulnerability is particularly alarming due to the sensitivity of the data and the operations involved in a health care system. It effectively leaves a door wide open for attackers to alter the access levels of users, potentially leading to unauthorized access to personal health information, modification of critical health records, or even complete system takeover. Let’s break down its severity using the CVSS metrics:

CVSS MetricValueDescription
Attack Vector (AV)Network (N)Can be performed remotely over a network.
Attack Complexity (AC)LowThe attacker can exploit the vulnerability easily without specialized conditions.
Privileges Required (PR)NoneNo privileges needed; accessible by any user with network access.
User Interaction (UI)NoneNo user interaction is required for the exploit.
Scope (S)ChangedThe impact of the vulnerability extends beyond the initially compromised component.
Confidentiality (C)HighUnauthorized access to personal data significantly compromises data confidentiality.
Integrity (I)HighThe potential for data manipulation significantly compromises data integrity.
Availability (A)HighPotential for system takeover compromises the availability of services.

Given these factors, the vulnerability is calculated as critical, based on a score on the CVSS scale, reflecting its potential to compromise patient confidentiality, integrity of health records and availability of the healthcare system. This score underlines the urgent need for remediation.

Prioritizing vulnerability fixes

With CVSS, security teams can prioritize vulnerabilities, focusing first on those with the highest scores, essentially doors that lead directly to the most valuable or vulnerable parts of the system. This prioritization ensures that resources are allocated efficiently to fortify the most critical weaknesses before attackers can exploit them.

Mitigation and strategies

Addressing vulnerabilities often involves a mix of immediate fixes, such as applying patches or updating software, and longer-term strategies like improving the design of authentication systems. The goal is not just to lock each door, but also to ensure it’s robust enough to withstand attempts to break in.

Need some help with that?

Check out our software security services, and choose safety today.


References:

https://cybersecurityventures.com/cyberwarfare-report-intrusion/

https://www.redlings.com/en/guide/cvss-score

https://www.first.org/cvss/calculator/3.0

https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator

https://owasp.org/API-Security/editions/2023/en/0x11-t10/

Author

You might also like

Subscribe

Don't miss new updates!

GDPR Information*
Scroll to Top