The National Institutes of Standards and Technology created a new scoring system that will allow computer security managers to assess the severity of security risks arising from certain software features.
NIST's "Common Misuse Scoring System" provides a systematic way for organizations to determine the severity of software feature misuse so that the organization can determine how to handle the problem.
NIST classifies software vulnerabilities in three general categories:
- Software flaws—coding errors that allow security breaches—are an obvious problem.
- Configuration vulnerabilities come from setting the software up improperly—allowing a program access to data it shouldn't see, for instance.
- But software feature misuse is more subtle. With feature misuse, savvy attackers violate the trust assumptions that are inherent in software features to subvert a system's security.