How do you benchmark and improve your CVSS performance and maturity?

To improve CVSS performance, follow these steps: benchmark baseline assessments, compare scores with industry standards, perform continuous monitoring through regular scans and trends analysis, train and educate your team, stay updated with the latest changes, refine scoring practices, integrate with risk management, prioritize remediation efforts based on scores, and leverage tools and resources like automated tools and external resources. Regularly review and refine scoring practices, implement a feedback loop, and align your scores with your organization's risk management framework. Utilize automated tools and leverage external resources to enhance your CVSS performance.

CVSS makes your life easier as it provides you some contect around the vulnerability and how bad it is. For example, which access level is necessary to gain access (if you need to be inside the network, compromise an account, need someone to download a malicious artifact to exploit a vulnerability, etc), if there are proof of concept (or exploits) available, etc. If you can use CVSS version 4, this will also help you to recalculate the scoring based on your environment context and introduce a risk-based approach. This way, you can prioritize the remediation activities based on asset exposure to threats and how easy it is to exploit versus the impact it may cause in your environment

I add "What-If" Simulations as a valuable approach. Simulating changes in the attack vector of a vulnerability allows testing mitigation scenarios before their implementation. For example, disabling a vulnerable service can significantly alter the associated risk. This methodology supports informed decision-making, ensuring the adoption of the most effective mitigation strategies.

If tomorrow the Board ask to explain OWASP Top 10, this is how I will explain to them Imagine a website is like a bank vault Unauthorized users access restricted areas, like a customer walking into a bank vault. Data isn’t encrypted, like writing a password on a sticky note. Hackers insert malicious commands, like tricking an ATM to dispense cash. Weak security like building a paper vault. Poor settings expose data, like using "admin/password" for WiFi. Old software is vulnerable, like using a rusted lock on a door. Weak passwords let hackers in, like using "123456" as a bank PIN. Compromised updates like a fake security patch. No tracking means like a store without security cameras. Hackers manipulate like forging a letter to open gates.

In other words, a risk-based approach that could help you to prioritize remediation efforts based on exposure and impact (environmental score), and exploitability (temporal score). Honestly, it is easy for you to generate a prioritization matrix that considers how exposed the asset is (e.g.: internet accessible, number of internal and external users with access, etc.), how important that asset is to your organization (crown jewels, storage of PII data, Credit card information, etc.), and compare with the vulnerability severity and exploitability.

I generate a holistic score from CVSS scores from all systems across the network. "Keep it simple" is the key. What this allowed me to do is track the overall decrease in the score as the organization made improvements to patching rollout methodology/policy. The improvements were trended over time (years) to quantify improvement. As a consultant, peer analysis was available... consideration was given to the number of assets, servers, etc. to better match environments. Industry verticals were also taken into consideration. More recently, the EPS (Exploitability Probability Score) scoring has been included in the solution. This metric is a litmus test - not an absolute. In my use case - this metric is the first warning light.

Customising Common Vulnerability Scoring System (CVSS) metrics to reflect the unique environment and risk profile of an organisation enhances assessment accuracy. I worked with stakeholders to develop custom environmental metrics tailored to our industry-specific risks and regulatory requirements. By adjusting the impact scores based on our critical assets and compliance needs, we ensured that our CVSS scores were more relevant and actionable. This customisation enabled us to prioritise remediation efforts more effectively, improving our vulnerability management process.