The difference between CVE and CVSS

What is the difference between CVE and CVSS? It can be confusing, especially if you’re not a security professional. Here’s how to make sense of the alphabet soup you hear from security analysts like me.

Both CVE and CVSS are industry standards that refer to vulnerabilities in computer software. Think of CVSS as the tracking number, and CVE as a measure of severity.

CVE vs CVSS

the difference between CVE and CVSS
What is the difference between CVE and CVSS? All computer code has vulnerabilities. CVSS is the most common way to rate and measure them, but it has limitations. And CVE is the industry-standard way to track them.

The difference between CVE and CVSS is important to understand so we don’t talk past each other.

CVEs are the industry-standard way to track vulnerabilities in computer software. The problem is, there are thousands of them. By that I mean tens of thousands of new ones are discovered every year. The Windows updates that your home computer reboots to install every month fix anywhere from a dozen to a hundred CVEs every month, just depending on how heavy of a month it was.

Every vulnerability has a CVE. Security analysts like me use vulnerability scanners to find CVEs in corporate networks and track them. You fix CVEs by applying patches, or security updates. But there isn’t a one-for-one correlation. One patch may address a single CVE, but it’s much more common for a patch to address several CVEs. This is one reason sysadmins and security analysts talk past each other. Security analysts and their tools think in terms of CVEs, but sysadmins and their tools think in terms of patches.

During my years as a sysadmin, I fixed somewhere between 800,000 and 900,000 CVEs in the networks I administered. I was successful because I learned how to understand what the security analysts were saying. But I only did it because my overbearing boss told me he’d fire me if he didn’t, and it was a recession, so I didn’t have any other options. It didn’t endear me to him, needless to say, and once someone told me I’d make a good security analyst, I jumped at the opportunity.

After I became a security analyst, I quickly learned that most sysadmins don’t have to do what I did. If you’re going to deal with CVEs and CVSS, you have to communicate it in ways sysadmins understand. Don’t expect them to learn your lingo.

CVSS and alternative ways to prioritize

Not all CVEs are created equal. I think everyone can agree that, in a perfect world, we shouldn’t have any vulnerabilities in computer software. It should scare you that I was in a position to fix 800,000 CVEs. That wasn’t my team, it was me. I had a couple of nice guys who sat next to me who would help me reboot systems, but deploying the updates and doing the planning and reporting all fell on me. And I did the majority of the reboots too, because both of those guys had other job duties.

I had to fix everything. In theory, stuff with a higher CVSS deserved higher priority. But I had to fix everything eventually and my five bosses all had different and conflicting ideas about when they wanted me to do things, so I settled on fixing everything within 30 days as the only compromise that kept them happy enough while allowing us to maintain our contractually required 99.999% uptime.

For me, passing score was 100% compliance and 99.999% uptime. Most sysadmins know they don’t have to put up with those kinds of demands, so they negotiate. The problem is, you never strike all that great of a balance, no matter where you draw the line on CVSS. And since most patches fix somewhere between 5-7 CVEs, and you don’t get to pick which ones, you always end up fixing a bunch of CVEs that are below your CVSS cutoff anyway.

Let me tell you about a secret weapon.

The patch report: Fixing CVEs and CVSS en masse

Both Qualys and Tenable have a wonderful feature called the patch report. Qualys makes you pull the patch report as a separate report, separate from the scan results. Ask your security analyst for one. Tenable includes a per-system patch report right there in the scan results. Look for plugin 66334 in the results.

The patch report tells you the bare minimum list of patches to deploy to get a clean system. Even a neglected system that’s never been patched in its lifetime can usually get a clean bill of health from 20-30 patches, with the overwhelming majority of the benefit coming from about five of them.

This report didn’t exist during the bulk of my time as a sysadmin. But if I’d had it, I would have taken the list, deduplicated it, and blasted the full list out to my network during my maintenance windows.

The report is never perfect and your success rate is rarely 100 percent, but it’s safe to say this approach will fix 85-99% of the findings in your scan results. You’ll amaze everyone and it will be much easier to make sense of the next scan, with so many fewer findings left in it.

When you have this shortcut, you don’t have to worry nearly as much about the difference between CVEs and CVSS, because you know what you need to do to fix all of it with the minimum amount of effort.

If you found this post informative or helpful, please share it!