Weekly Highlight: NIST’s New Vulnerability Metrics Proposal and the Discovered Flaws in NASA’s Open Source Software
NIST’s Novel Approach in Vulnerabilities Metric
The National Institute of Standards and Technology (NIST) has proposed a new metric designed to evaluate vulnerabilities and their potential exploitation.
By using this approach, organizations can prioritize them based on their likelihood of being exploited.
This happens by calculating the base score using the Common Vulnerability Scoring System (CVSS) which quantifies the severity and modulates scores based on the likelihood that vulnerabilities will be exploited.
The CVSS is an industry-standard vulnerability metric that helps in assigning severity scores to vulnerabilities.
It helps stakeholders prioritize their response activities and helps determine the urgency of the situation.
The score is represented numerically on a scale of 0-10.
However, the existing CVSS scoring system focuses more on potential impact rather than the likelihood of exploitation.
This is where NIST’s new proposal can fill the gaps.
By providing a real-time and dynamic evaluation of vulnerabilities, it can lead to a more adequately informed response and prevention of cyber threats.
Vulnerabilities in NASA’s Open Source Software
Security researcher, Leon Juranić, has discovered numerous vulnerabilities in NASA’s in-house open source software.
These vulnerabilities could potentially be exploited by attackers to breach their systems.
The affected system is named ‘NASA CFITSIO’, and it’s a library of C and Python functions that read and write data files in FITS (Flexible Image Transport System) data format.
The primary concern here is that this software is not just used by NASA, but it is also widely used in astronomical community making telescopes and other satellite imagery software.
An exploitation of these vulnerabilities could go beyond just NASA, impacting other organizations and entities globally.
NASA has been informed about the vulnerabilities and it’s likely they’re working on patches as we speak.
This incident serves as a crucial reminder that open source software, while cost-effective and flexible, can also pose significant cybersecurity concerns.
Organizations that utilize such software should always adopt robust vulnerability management programs and maintain a strong security posture.
Follow-Up Reading
For more information on these topics, please check out the following articles:
