It’s one thing to know that a security vulnerability exists within an API you use. It’s quite another to know how serious the risk is, and how likely it is to cause a breach in your environment.
The Common Vulnerability Scoring System (CVSS) is a public information repository that assigns a score to known software vulnerabilities based on their severity and scope. The goal of the scores is to help developers, IT admins and other stakeholders easily determine which vulnerabilities require urgent attention, and which are less critical.
“It’s designed to provide open and universally standard severity ratings of software vulnerabilities” National Infrastructure Advisory Council
The scores are based on three main metrics: Base, temporal and environment:
By assessing these metrics in tandem, CVSS assigns overall scores to each vulnerability.
The most important set of metrics for CVSS score calculation are those in the base category:
For example, consider an API vulnerability that can be exploited by any user on the Internet in order to access highly sensitive data or cause a total disruption to a critical system. This type of vulnerability would receive a high CVSS score given its ease of exploitation, its scope and the confidentiality and availability risks it poses. The infamous remote code execution (RCE) vulnerability in Log4Shell is one example of this, its CVSS score was 10/10.
On the other hand, an API vulnerability that can only be exploited by privileged users under very specific environment configurations would receive a relatively low CVSS score. So would a vulnerability that doesn’t place critical information at risk, or that only impacts a non-critical component of a system.
The temporal and environment metrics are considered non-mandatory when calculating CVSS scores, but they are often used to provide additional context for score calculation.
In the temporal category, these additional calculation factors include:
There are also non-mandatory metrics in the environment group category:
The environment metrics allow analysts to adjust scores by considering how a vulnerability could be exploited, and which impact it could have, based on different environment configurations – meaning different types of operating systems, software libraries, access control frameworks and so on.
Panoptica uses data from the Common Vulnerability Scoring System (CVSS) to not only identify API vulnerabilities, but also to score and assess them to provide deep visibility into the severity of the threat.
You can access CVSS scores on the Web. But with Panoptica, there’s no need to go hunting down this information in your browser. Panoptica displays CVSS data right alongside information about API vulnerabilities that Panoptica discovers.
For each image, you’ll see a list of vulnerabilities, along with a score:
In addition to displaying the score, Panoptica breaks it down so you know why the vulnerability received the score it did.
This data is based on CVSS scores, but it’s more than that. Panoptica also identifies the variables used in your environment to provide the most accurate score assessment possible.
For example, Panoptica considers factors like attack complexity based on your configuration. If attack complexity is low, the vulnerability score will be higher. Attacks that are more complex, and therefore harder to execute, will receive lower scores.
As another example, take an attack vector, which identifies how a given vulnerability can be exploited. If the attack vector is present in your configuration, the vulnerability will receive a higher score than it would if the attack couldn’t actually be executed in your environment.
Likewise, attack scores will be higher if the privileges required to execute the attack are available to attackers based on your configuration.
In total, Panoptica relies on eight variables to determine how vulnerable each API is in your setup.
With this information, you can make informed decisions for yourself about how to handle each vulnerability. For vulnerabilities with high scores, you’ll probably want to act urgently by blocking vulnerable requests. Lower-scored vulnerabilities may not require immediate action.
Knowing which API security vulnerabilities exist in your environment is only half the battle – if that. What really matters is gaining the visibility and clarity necessary to determine how serious a given vulnerability is.
Panpptica makes this easy to do. By leveraging CVSS data and customized assessments of your environment, Panoptica delivers tailored vulnerability scoring to help you react as effectively as possible to whichever risks may arise in your environment.
Learn more by requesting a Panoptica trial.