Web application security - the fast guide 1.1 | Page 56

Chapter 3 - Vulnerabilities and threat models P a g e | 56 From the other hand to include the environmental effect we use the environmental equation. This equation will give also a score rating between (0- 10) the result should be less than temporal score. EnvironmentalScore = round_to_1_decimal((AdjustedTemporal+(10-AdjustedTemporal) *CollateralDamagePotential)*TargetDistribution) AdjustedTemporal = TemporalScore recomputed with the BaseScore’s Impact sub-equation replaced with the AdjustedImpact equation AdjustedImpact = min(10,10.41*(1-(1-ConfImpact*ConfReq)*(1-IntegImpact*IntegReq)*(1- AvailImpact*AvailReq))) CollateralDamagePotential = case CollateralDamagePotential of none: 0 low: 0.1 low-medium: 0.3 medium-high: 0.4 high: 0.5 not defined: 0 TargetDistribution = case TargetDistribution of none: 0 low: 0.25 medium: 0.75 high: 1.00 not defined: 1.00 ConfReq = case ConfReq of low: 0.5 medium: 1.0 high: 1.51 not defined: 1.0 IntegReq = case IntegReq of low: 0.5 medium: 1.0 high: 1.51 not defined: 1.0 AvailReq= case AvailReq of low:0.5 medium:1.0 high:1.51 not defined: 1.0 Even though that using CVSS need a lot of experience to be able to give a good estimation for different metric groups but it provides an efficient way to score threats and be able to rank it.