Zoom, best known for its online videoconferencing and collaboration platform, is getting into vulnerability management. The company has announced its Vulnerability Impact Scoring System (VISS), a free-to-use framework for evaluating the impact of security vulnerabilities on computer systems infrastructure, technology stacks, and protected data.
VISS is designed to "objectively" capture the principal impact characteristics of software, hardware, and firmware vulnerabilities, Zoom said. While the industry-standard Common Vulnerability Scoring System (CVSS) is used to subjectively evaluate vulnerability reports primarily from an attacker’s perspective and assumes the reasonable worst-case impact, Zoom explained, VISS focuses on measuring the responsibly demonstrated impact of a vulnerability from the defender’s perspective.
The theoretical possibility of exploitation is not considered with VISS, but rather only the actual exploitation that has been demonstrated, Zoom said. The numerical scores generated indicate the relative impact severity within the given environment. It is important to understand that VISS is not meant as a replacement for CVSS, but as a complementary system of evaluation, the company stressed.
Zoom's VISS is not the first effort to move the ball forward on vulnerabilities with scoring. The Exploit Prediction Scoring System (EPSS), first launched in April 2020, advanced to version 3.0 late last year as a complementary tool to CVSS, by adding more value to software risk scoring, combining descriptive information about vulnerabilities — and evidence of actual exploitation in the wild.
Here's what you need to know about Zoom's VISS, how it compares to EPSS — and how it can advance your application security (AppSec).
[ See ReversingGlass: EPSS 3.0 + CVSS: Why Prioritizing Software Risk is Key | Learn more: Why AppSec teams should go beyond legacy vulnerabilities ]
How VISS measures vulnerability impacts
VISS aims to provide greater efficiency, taking into account more infrastructure and environmental factors, and ideally providing focus on the highest-impact vulnerabilities, said John Gallagher, vice president of the IoT security firm Viakoo Labs.
"Organizations need efficiency in cybersecurity operations, both because of limited security resources and because the longer it takes to react to a vulnerability, the more possibility there is for exploitation."
—John Gallagher
VISS metrics, which produce scores from 0 to 100, take into account 13 aspects of impact for each vulnerability:
- Platform type, which allows the user to specify the type of computing platform impacted by the security vulnerability, not necessarily where the security vulnerability was found.
- Platform confidentiality, which allows the user to specify the impact on the confidentiality of the platform by the successful exploitation of the security vulnerability found.
- Platform integrity, which allows the user to specify the impact on the integrity of the platform by the successful exploitation of the security vulnerability found.
- Platform availability, which allows the user to specify the impact on the availability of the platform by the successful exploitation of the security vulnerability found.
- Infrastructure tenancy, which allows the user to specify the tenancy of the infrastructure on which the security vulnerability was found, but only when there is some level of platform impact present.
- Software tenancy, which allows the user to specify the tenancy of the software on which the security vulnerability was found.
- Data tenancy, which allows the user to specify the tenancy of the data on which the security vulnerability was found.
- Tenants impacted, which allows the user to specify a summary range of tenants impacted by the successful exploitation of the security vulnerability found.
- Data confidentiality, which allows the user to specify the impact on the confidentiality of the data involved by the successful exploitation of the security vulnerability found.
- Data integrity, which allows the user to specify the impact on the integrity of the data involved by the successful exploitation of the security vulnerability found.
- Data availability, which allows the user to specify the impact on the availability of the data involved by the successful exploitation of the security vulnerability found.
- Data classification, which allows the user to specify the internal classification of the data involved in the successful exploitation of the security vulnerability found.
- Upstream compensating controls, which allows the user to specify the existence of any compensating security controls within the impacted software or infrastructure that have a positive defensive impact against the successful exploitation of the security vulnerability found.
How VISS fills gaps in the CVSS
New scoring frameworks such as VISS are emerging to address specific needs or perspectives that CVSS might not fully cover, said James McQuiggan, an advocate at the security awareness training company KnowBe4.
“While CVSS is often criticized, using EPSS or VISS has the potential to provide more tailored or comprehensive assessments for particular environments or threats. The EPSS is also open source and can be updated or openly discussed, whereas the CVSS is controlled, with very few adjustments without significant changes or implementations.”
—James McQuiggan
Zoom said that while it owns all rights and interests in VISS, it licenses it to the public free for use, subject to certain conditions. Zoom also requires that any individual or entity using VISS give proper attribution, where applicable, that VISS is owned by Zoom and is used with permission. In addition, Zoom requires as a condition of use that any individual or entity that publishes VISS scores provide both the score and the scoring vector so others can understand how the score was derived.
Zoom also noted that unlike CVSS, VISS metric options and the weights assigned to those options are customizable by the user as needed to meet the needs of the overall environment, software, and data involved. This flexibility allows each organization to use VISS in a manner specific to it industry, requirements, and risk profile, it added.
Daniel Kennedy, research director for information security and networking at 451 Research, which is part of S&P Global Market Intelligence, said the CVSS has been criticized, sometimes unfairly, for not considering different contexts that may affect vulnerability severity. But he said VISS could end up “yet another standard."
"Folks tend to create these things in pursuit of solving some problem, whether it be the current models not addressing their specific use case, or existing models having more general gaps.”
—Daniel Kennedy
Going beyond vulnerability management alone is key
Vulnerability management has become the battle cry of the cybersecurity world, with organizations drowning in a sea of vulnerabilities and struggling to prioritize remediation efforts, said Sarah Jones, a cyberthreat intelligence research analyst at the cybersecurity services firm Critical Start.
“This is where vulnerability scoring systems like VISS and EPSS step in, offering guidance through the storm."
—Sarah Jones
Although both systems aim to address deficiencies in CVSS, they approach their mission in different ways, Jones said. "It analyzes 13 factors and assigns 0 to 100 severity scores based on actual damage from past exploits,” she said.
“Think of VISS as a data-driven post-mortem."
—Sarah Jones
VISS aligns vulnerability patching with demonstrably impactful threats, supporting incident response and mitigating ongoing attacks, Jones said.
“However, it doesn't predict future assaults, leaving them lurking in the shadows.”
—Sarah Jones
VISS vs EPSS: How they compare
EPSS takes a forward-looking approach using threat intelligence and vulnerability characteristics to estimate the chance of exploitation within 30 days.
“Like a security weather forecast, it identifies storm clouds most likely to unleash fury, enabling proactive risk mitigation. However, its reliance on complex algorithms and limited historical data introduces uncertainties, requiring cautious interpretation.”
—Sarah Jones
VISS and EPSS are complementary tools, not rivals, Jones said. “Choose based on your priorities — address past damage with VISS or predict future threats with EPSS. Combine their strengths with CVSS to navigate the cybersecurity landscape.”
Proactive vulnerability management is a strategic investment in your organization's future, Jones said. “By understanding these systems and taking a holistic approach, you can stay ahead of the curve and keep those vulnerability monsters at bay.”
However, McQuiggan cautioned about obsessing over vulnerabilities in general.
“Focusing on vulnerabilities is a proactive approach to cybersecurity, aiming to prevent exploits before they occur. However, it should be part of a broader security strategy that includes protection against malware, zero-day exploits, and social engineering, since addressing vulnerabilities is not a silver bullet and does not guarantee defense and risk reduction against all cyber threats.”
—James McQuiggan
Matt Rose, field CISO for ReversingLabs, said security teams are facing alert fatigue "across the board," so new vulnerability scoring systems are a step in the right direction.
"There's just not enough time, resources, and budget to address everything."
—Matt Rose
Rose said the increase in sophisticated supply chain attacks means its time to go beyond vulnerabilities when it comes to managing risk across the software development lifecycle (SDLC). He advocates for focusing on active malware instead, citing the Enduring Security Framework group's call to for binary analysis and reproducible builds.
Complex binary analysis, which focuses on malware, can help organizations evaluate and verify the security of not just internally developed software, but also third-party commercial software in their environment, before it is released.
"It is the final examination of a package for software supply chain risk, which allows for trust in that piece of software that you are either developing for your customers or that you are buying to help operate your business."
—Matt Rose
