Domain 6 Β· Lesson 1 of 5

Vulnerability Assessment & CVSS Scoring

ĐÑnh giΓ‘ Lα»— hα»•ng & ChαΊ₯m Δ‘iểm CVSS

Vulnerability Assessment Process

1. Asset Discovery
β†’
2. Scan (Nessus / Qualys / OpenVAS)
β†’
3. Analysis + False Positive Filter
β†’
4. Risk Rating (CVSS)
β†’
5. Remediation Prioritization
β†’
6. Verify / Retest

VA vs Penetration Test

VA: Find and prioritize vulnerabilities. Automated scan + analyst review. Output: risk-rated report. Does NOT exploit.
Pen Test: Exploit vulnerabilities to prove real impact. Requires skilled humans. Output: proof-of-exploit. Requires written authorization.

CVSS Scoring β€” Severity Bands & SLAs

Score Range Severity Remediation SLA Example Action
0.0 None No action required Informational note
0.1 – 3.9 Low 90 days Fix in next sprint backlog
4.0 – 6.9 Medium 30 days Fix within current quarter
7.0 – 8.9 High 7 days Emergency fix this week
9.0 – 10.0 Critical 24–48 hours Page on-call immediately; incident response

CVSS Base Score Components

Exploitability Metrics

  • Attack Vector (AV): Network / Adjacent / Local / Physical
  • Attack Complexity (AC): Low / High
  • Privileges Required (PR): None / Low / High
  • User Interaction (UI): None / Required
  • Scope (S): Unchanged / Changed (can it affect other components?)

CIA Impact Metrics

  • Confidentiality (C): None / Low / High
  • Integrity (I): None / Low / High
  • Availability (A): None / Low / High

Environmental Score

Adjust base score for your context β€” Platform C processes financial PII, so CIA impact is higher than a static marketing site. Internet-facing endpoints score higher than internal tools.

CVE & Zero-Day Vulnerabilities

CVE β€” Common Vulnerabilities and Exposures

Standardized identifier for known vulnerabilities. Maintained by MITRE. Format: CVE-YEAR-NUMBER.

Example: CVE-2021-44228 = Log4Shell (CVSS 10.0 Critical). CVE-2022-22965 = Spring4Shell.

Zero-Day Vulnerability

A vulnerability with no CVE yet β€” no patch exists and the vendor is unaware (or just became aware). Cannot be detected by signature-based scanners (Nessus, govulncheck) because there's no known CVE to match against.

Key Terms

Vulnerability Assessment CVE CVSS Attack Vector Nessus Qualys False Positive Remediation SLA Patch Management Zero-Day
Exam Tips
  1. CVSS Critical = 9.0–10.0 β†’ patch within 24–48 hours. High = 7.0–8.9 = 7 days. Know all five bands.
  2. VA β‰  Pen Test: VA finds and prioritizes; Pen Test actively exploits to prove impact.
  3. False positives in VA: verify manually before treating as real β€” saves engineering time on phantom issues.
  4. CVSS Environmental Score: adjust base score for your organization context β€” internet-facing financial data = higher effective score.
  5. Zero-day: no CVE exists yet β€” signature-based scanners (Nessus, govulncheck) cannot detect it. Requires threat intelligence and behavioral detection.
Work Application β€” Platform C Vulnerability Management

govulncheck in CI/CD: Scans all Go module dependencies for known CVEs on every build. Policy: Critical (CVSS 9+) = block merge immediately; High (7–8.9) = fix within 7 days or add WAF compensating rule with CTO sign-off; Medium = fix within 30 days; Low = fix in next sprint.

Log4Shell audit (legacy Platform A Java): Platform A service uses Java β€” run Log4j dependency audit immediately. If Log4j 1.x or Log4j 2.x < 2.17.1 is detected, this is a Critical CVE requiring emergency remediation. Replace with Logback/SLF4J or upgrade Log4j.

False positive handling: govulncheck may flag CVEs in dependencies that are not in your call graph (Go's reachability analysis helps). Verify each finding with the security team before suppressing β€” document the justification in a suppression comment with ticket reference.

Practice Quiz

Q1. govulncheck finds a CVE with CVSS base score 9.5 in an Platform C Go dependency. What is the severity classification and the maximum acceptable time before it must be patched?

β–Ό Reveal Answer
Critical (9.0–10.0). Must be patched within 24–48 hours. Escalate immediately β€” this should trigger an incident response process, not wait for the next sprint planning.
CVSS 9.5 = Critical band. The 24–48 hour SLA is the industry standard and what most compliance frameworks (PCI-DSS, SOC 2) require for Critical vulnerabilities in production systems. If an immediate patch isn't possible, a compensating control (WAF rule, network isolation, feature flag disable) must be applied within 24 hours, with the permanent fix to follow. Platform C processes financial data, so the environmental score may be even higher.

Q2. VA vs Pen Test β€” which one actively exploits vulnerabilities to demonstrate real impact?

β–Ό Reveal Answer
Penetration Testing β€” it actively exploits vulnerabilities (with written authorization) to demonstrate real-world impact. VA only identifies and prioritizes vulnerabilities β€” it does not exploit them.
VA = automated scan + analysis = "here is a list of potential weaknesses ranked by severity." Pen test = skilled humans exploit the weaknesses = "here is proof that an attacker can compromise this system and do X." Both are needed: VA gives breadth (scans everything), pen test gives depth (proves what the vulnerabilities actually allow). BSP VAPT requires pen testing β€” a VA report alone does not satisfy the BSP requirement.

Q3. What does a CVE identifier represent, and what is CVE-2021-44228?

β–Ό Reveal Answer
CVE (Common Vulnerabilities and Exposures) is a standardized identifier for a publicly known security flaw, maintained by MITRE. CVE-2021-44228 is Log4Shell β€” a remote code execution vulnerability in Apache Log4j 2, rated CVSS 10.0 (maximum severity).
CVE identifiers allow organizations to consistently refer to specific vulnerabilities across different tools and vendors. Without CVE, different scanners might use different names for the same flaw. Log4Shell (CVE-2021-44228) was one of the most severe vulnerabilities ever found β€” any Java application using Log4j 2.x (versions < 2.17.1) was potentially exploitable with a single crafted log message. Relevant for Platform A legacy Java services at FinTech Company X.

Q4. A VA scan returns 200 findings. The first engineer says "let's start patching everything." What should happen before remediation begins?

β–Ό Reveal Answer
Triage for false positives first. VA tools have high false positive rates. Each finding should be verified before spending engineering time on remediation. Confirmed findings should then be prioritized by CVSS score β€” Critical first, then High, Medium, Low.
False positives in VA are common β€” a scanner may flag a vulnerability in a library version that your code doesn't actually call, or flag a port that's actually filtered by firewall. Patching false positives wastes engineering time and can introduce risk (unnecessary code changes). Proper process: scan β†’ triage β†’ confirm β†’ prioritize β†’ remediate β†’ verify. Never skip the triage step.

Q5. Why can't signature-based vulnerability scanners (Nessus, govulncheck) detect zero-day vulnerabilities?

β–Ό Reveal Answer
Zero-day vulnerabilities have no CVE yet β€” the vendor is unaware or just learned about them. Signature-based scanners work by matching against a database of known CVEs. With no CVE, there's no signature to match against, so the scanner finds nothing.
Signature-based detection requires a known pattern (CVE ID, exploit signature) to match against. Zero-days, by definition, are unknown to the security community. They require different detection methods: behavioral analysis (anomaly detection), fuzzing (finding crashes), threat intelligence from adversary monitoring, or disclosure by researchers/vendors. This is why defense-in-depth is critical β€” no single tool catches everything.
← Domain 6 Overview Lesson 2: Pen Testing β†’