One of the first challenges most security teams tackle is defect discovery. Soon afterwards, the bugs start piling up. I often work with organizations struggling to consistently risk rank issues into severity categories. There are many factors to consider in this process, not to mention the amount of brain power going into devising the perfect severity system.
Even the most popular industry-accepted systems might be a square peg in a round hole if it’s not a good fit for your organization. For instance, the Common Vulnerability Scoring System (CVSS) tends to be overly complex to implement for most organizations. While it’s very useful for infrastructure issues, its ability to manage the contextual complexity of application vulnerabilities is lacking.
Other systems are unintuitive. Take the PCI DSS severity levels, for instance. This categorization system is plagued with unintuitive terminology. For example, it’s not obvious that “urgent” is more severe than “critical” when it comes to vulnerabilities. Additionally, program owners typically work to consolidate vulnerability data from multiple sources that aren’t leveraged in the same criteria or to the same scale.