面向SaaS云平台的安全漏洞评分方法研究

对不同的第三方提供的云服务进行漏洞评分是一项充满挑战的任务。针对一些基于云平台的重要因素，例如业务环境（业务间的依赖关系等），提出了一种新的安全框架VScorer，用于对基于不同需求的云服务进行漏洞评分。通过对VScorer输入具体的业务场景和安全需求，云服务商可以在满足安全需求的基础上获得一个漏洞排名。根据漏洞排名列表，云服务提供商可以修补最关键的漏洞。在此基础上开发了VScorer的原型，并且证实它比现有最具有代表性的安全漏洞评分系统CVSS表现得更为出色。

Vulnerabilities scoring approach for cloud SaaS

There are full of challenges to score vulnerabilities of cloud services developed by different third-party providers. Although there have been a few systems for scoring vulnerabilities (e. g., CVSS) of many existing software, most of them are unable to be leveraged to score vulnerabilities in cloud services, because they fail to consider some important factors located in the clouds such as business context (i. e ., dependency relationships between services). VScorer, a novel security frame work to score vulnerabilities in various cloud services were presented based on different given requirements. By inputting concrete business context and security requirement into VScorer, cloud provider can get a ranking list of vulnerabilities in the business based on the given security requirement. Following the ranking list, cloud provider was able to patch the most critical vulnerabilities first. A prototype was developed and VScorer can be demonstrazed to work better than current representative vulnerability scoring system CVSS.