Davis Security Score (DSS) is an enhanced risk-calculation score based on the industry-standard Common Vulnerability Scoring System. Because Davis AI also considers parameters like public internet exposure and checks to see if and where sensitive data is affected, DSS is the most precise risk-assessment score available.
How DSS is better than CVSS
Virtually all security products use the CVSS Base Score to set the severity of security vulnerabilities. CVSS was designed to be risk-averse, which means that, for any given vulnerability, the assigned score assumes the worst-case scenario. The CVSS specification does allow for some modifications based on environmental influences, but this is usually not factored into the risk score calculation, which leads to many high or critical problem scores that the user needs to handle.
DSS is more accurate: Davis doesn't assume the worst-case scenario. Instead, Davis adapts the characteristics of the vulnerability to your particular environment, taking into consideration its structure and topology, and advises you as to which elements are prone to errors and how to handle security issues. With Davis AI, you can find out if the affected entity reachable from the Internet and if there is any data storage in reach of an affected entity.
DSS makes you more efficient: By including additional parameters in its analysis, Davis can more precisely calculate the security score and predict the potential risk of a vulnerability to your environment. By reducing the score of vulnerabilities that are, in fact, not critical for your environment, you gain time to focus on the real issues and fix them faster.
Davis Security Score scale
The DSS scale ranges between 0.1 (lowest risk) and 10.0 (most critical risk):
- Low risk problems are indicated with blue and range between 0.1 and 3.9
- Medium risk problems are indicated with yellow and range between 4.0 and 6.9
- High risk problems are indicated with red and range between 7.0 and 8.9
- Critical risk problems are indicated with red and range between 9.0 and 10.0
1. CVSS Base
Davis calculation starts from the base CVSS Score, and takes into consideration metrics pertaining to
- Public internet exposure: Attack vector (AV)
- Sensitive data assets: Confidentiality (C) and Integrity (I)
2.0. Davis adds context to public internet exposure
To influence the security score of a vulnerability based on the public internet exposure, Davis uses the Modified Attack Vector (MAV) metric. This metric reflects the context by which vulnerability exploitation is possible.
- If the original AV value shows exploitation is possible via network access, but, based on the topology information extracted from your environment, the service isn't actually exposed, Davis lowers the MAV value.
- In all other cases, the MAV value doesn't differ from the original AV value.
3.0. Davis adds context to sensitive data assets
To influence the security score of a vulnerability based on sensitive data assets, Davis uses the Modified Confidentiality (MC) and Modified Integrity (MI) metrics. These metrics reflect the actual accessibility of a sensitive data asset to an affected service.
- If the original C and I values show that data exposure or manipulation are possible, but, based on Davis' evaluation, there aren't any sensitive data assets accessible by the affected service, Davis lowers the corresponding MC and MI values.
- In all other cases, the MC and MI values don't differ from the original C and I values.
4. Final score
The final score is calculated based on the previous two results.
In this example:
- The evaluation of public internet exposure doesn't influence the score, so the risk level remains high.
- The evaluation of sensitive data assets lowers the score to medium.
Davis modifies the scores on the service level. If a security problem has more than one affected service, Davis uses the highest score.
Davis never raises DSS higher than the base CVSS. The values for public internet exposure and sensitive data assets can only lower the score or not affect it at all.