The use of vulnerability data for risk assessment

Sammanfattning: Finding vulnerabilities in open source software is an important part of software security. Software security is in turn a vital part in risk management and making risk assessments. The purpose of this thesis is to help organisations make decisions about vulnerabilities they have in their software programs by helping them make their own risk assessment. Our research uses the Common Vulnerability Scoring System (CVSS), the Common Weakness Enumeration (CWE) and ISO-controls. Our research focused on the environmental score part of the CVSS score, and ways to derive the security requirement values were suggested. In the next step the modified base metrics were looked into and it was shown how easily they can be changed depending on what system they are used on. This was shown by comparing the CVSS score given by National Vulnerability Database (NVD) with the CVSS score given by the organisation Red Hat. The last part was to put the vulnerabilities in a larger risk perspective, where a connection was made between the vulnerabilities and the ISO-controls with the use of the CWEs connected to each vulnerability. Our conclusion shows that it is important to look at vulnerabilities from a larger risk perspective, and that our method can facilitate making continuous risk assessments in cybersecurity since a lot of the data can be reused in the future.