{"id":13591,"date":"2025-07-31T18:32:51","date_gmt":"2025-07-31T15:32:51","guid":{"rendered":"https:\/\/www.kaspersky.com.tr\/blog\/?p=13591"},"modified":"2025-07-31T18:32:51","modified_gmt":"2025-07-31T15:32:51","slug":"cvss-rbvm-vulnerability-management","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com.tr\/blog\/cvss-rbvm-vulnerability-management\/13591\/","title":{"rendered":"CVSS’den RBVM’ye: G\u00fcvenlik a\u00e7\u0131\u011f\u0131 \u00f6nceliklendirmesinin do\u011fru yap\u0131l\u0131\u015f\u0131"},"content":{"rendered":"

CVSS (Common Vulnerability Scoring System)<\/u> ile ilk kar\u015f\u0131la\u015ft\u0131\u011f\u0131n\u0131zda, bunun g\u00fcvenlik a\u00e7\u0131klar\u0131n\u0131 \u00f6nceliklendirmek i\u00e7in m\u00fckemmel bir ara\u00e7 oldu\u011funu d\u00fc\u015f\u00fcnmek kolayd\u0131r. Daha y\u00fcksek bir puan daha kritik bir g\u00fcvenlik a\u00e7\u0131\u011f\u0131 anlam\u0131na gelmeli, de\u011fil mi? Ger\u00e7ekte, bu yakla\u015f\u0131m pek i\u015fe yaramaz. Her y\u0131l, y\u00fcksek CVSS puanlar\u0131na sahip g\u00fcvenlik a\u00e7\u0131klar\u0131n\u0131n say\u0131s\u0131n\u0131n artt\u0131\u011f\u0131n\u0131 g\u00f6r\u00fcyoruz. G\u00fcvenlik ekipleri bunlar\u0131n hepsini zaman\u0131nda yamalayamaz, ancak bu kusurlar\u0131n b\u00fcy\u00fck \u00e7o\u011funlu\u011fu ger\u00e7ek d\u00fcnyadaki sald\u0131r\u0131larda asla kullan\u0131lmaz. Bu arada, sald\u0131rganlar s\u00fcrekli olarak daha d\u00fc\u015f\u00fck puanlara sahip daha az g\u00f6steri\u015fli g\u00fcvenlik a\u00e7\u0131klar\u0131ndan yararlan\u0131yor. \u00c7ak\u0131\u015fan CVSS puanlar\u0131 gibi tamamen teknik sorunlardan i\u015f ba\u011flam\u0131 eksikli\u011fi gibi kavramsal sorunlara kadar uzanan ba\u015fka gizli tuzaklar da vard\u0131r.<\/p>\n

Bunlar CVSS\u2019nin kendi eksiklikleri de\u011fildir. Bunun yerine, bu arac\u0131n daha sofistike ve kapsaml\u0131 bir g\u00fcvenlik a\u00e7\u0131\u011f\u0131 y\u00f6netimi s\u00fcrecinin bir par\u00e7as\u0131 olarak, do\u011fru bir \u015fekilde kullan\u0131lmas\u0131 gerekti\u011finin alt\u0131n\u0131 \u00e7izmektedir.<\/p>\n

CVSS tutars\u0131zl\u0131klar\u0131<\/h2>\n

Ayn\u0131 g\u00fcvenlik a\u00e7\u0131\u011f\u0131n\u0131n mevcut kayna\u011fa ba\u011fl\u0131 olarak nas\u0131l farkl\u0131 \u00f6nem derecelerine sahip olabilece\u011fini hi\u00e7 fark ettiniz mi? Bir puan bunu bulan siber g\u00fcvenlik ara\u015ft\u0131rmac\u0131s\u0131ndan, di\u011feri g\u00fcvenlik a\u00e7\u0131\u011f\u0131 olan yaz\u0131l\u0131m\u0131n sat\u0131c\u0131s\u0131ndan ve bir di\u011feri de ulusal g\u00fcvenlik a\u00e7\u0131\u011f\u0131 veri taban\u0131ndan m\u0131? Bu her zaman basit bir hata de\u011fildir. Bazen farkl\u0131 uzmanlar a\u00e7\u0131\u011f\u0131n ba\u011flam\u0131 konusunda ayn\u0131 fikirde olmayabilirler. G\u00fcvenlik a\u00e7\u0131\u011f\u0131 bulunan bir uygulaman\u0131n hangi ayr\u0131cal\u0131klarla \u00e7al\u0131\u015ft\u0131\u011f\u0131 veya internete a\u00e7\u0131k olup olmad\u0131\u011f\u0131 konusunda farkl\u0131 fikirlere sahip olabilirler. \u00d6rne\u011fin bir sat\u0131c\u0131, de\u011ferlendirmesini \u00f6nerilen en iyi uygulamalara dayand\u0131rabilirken, bir g\u00fcvenlik ara\u015ft\u0131rmac\u0131s\u0131 uygulamalar\u0131n ger\u00e7ek d\u00fcnya kurulu\u015flar\u0131nda tipik olarak nas\u0131l yap\u0131land\u0131r\u0131ld\u0131\u011f\u0131n\u0131 dikkate alabilir. Bir ara\u015ft\u0131rmac\u0131 g\u00fcvenlik a\u00e7\u0131\u011f\u0131 karma\u015f\u0131kl\u0131\u011f\u0131n\u0131 y\u00fcksek olarak de\u011ferlendirirken, bir di\u011feri d\u00fc\u015f\u00fck olarak de\u011ferlendirebilir. Bu nadir g\u00f6r\u00fclen bir durum de\u011fildir. Vulncheck taraf\u0131ndan 2023 y\u0131l\u0131nda yap\u0131lan bir ara\u015ft\u0131rma<\/a>, Ulusal G\u00fcvenlik A\u00e7\u0131\u011f\u0131 Veri Taban\u0131ndaki (NVD) g\u00fcvenlik a\u00e7\u0131klar\u0131n\u0131n %20\u2019sinin farkl\u0131 kaynaklardan al\u0131nan iki CVSS3 puan\u0131na sahip oldu\u011funu ve bu e\u015fle\u015ftirilmi\u015f puanlar\u0131n %56\u2019s\u0131n\u0131n birbiriyle \u00e7eli\u015fti\u011fini ortaya koymu\u015ftur.<\/p>\n

CVSS kullan\u0131rken s\u0131k yap\u0131lan hatalar<\/h2>\n

FIRST<\/a>, on y\u0131l\u0131 a\u015fk\u0131n bir s\u00fcredir CVSS\u2019nin metodolojik olarak do\u011fru uygulanmas\u0131n\u0131 savunmaktad\u0131r. Yine de g\u00fcvenlik a\u00e7\u0131\u011f\u0131 y\u00f6netim s\u00fcre\u00e7lerinde CVSS derecelendirmelerini kullanan kurulu\u015flar tipik hatalar yapmaya devam eder:<\/p>\n

    \n
  1. CVSS taban puan\u0131n\u0131 birincil risk g\u00f6stergesi olarak kullanmak: CVSS, bir g\u00fcvenlik a\u00e7\u0131\u011f\u0131n\u0131n ciddiyetini \u00f6l\u00e7er; ne zaman k\u00f6t\u00fcye kullan\u0131laca\u011f\u0131n\u0131 veya bu k\u00f6t\u00fcye kullanman\u0131n sald\u0131r\u0131 d\u00fczenlenen kurulu\u015f \u00fczerindeki potansiyel etkisini \u00f6l\u00e7mez. Bazen kritik bir g\u00fcvenlik a\u00e7\u0131\u011f\u0131, \u00f6nemsiz ve kapal\u0131 sistemlerde bulundu\u011fu i\u00e7in spesifik bir \u015firket ortam\u0131nda zarars\u0131zd\u0131r. Tersine, b\u00fcy\u00fck \u00f6l\u00e7ekli bir fidye yaz\u0131l\u0131m\u0131 sald\u0131r\u0131s\u0131, CVSS puan\u0131 6 olan g\u00f6r\u00fcn\u00fc\u015fte zarars\u0131z bir bilgi s\u0131z\u0131nt\u0131s\u0131 a\u00e7\u0131\u011f\u0131 ile ba\u015flayabilir.<\/li>\n
  2. Tehdit\/Zamansal ve \u00c7evresel ayarlamalar olmadan CVSS Taban puan\u0131n\u0131 kullanmak: Yamalar\u0131n, halka a\u00e7\u0131k a\u00e7\u0131kl\u0131klar\u0131n ve telafi edici \u00f6nlemlerin mevcudiyeti, bir g\u00fcvenlik a\u00e7\u0131\u011f\u0131n\u0131n nas\u0131l ve ne kadar acilen ele al\u0131nmas\u0131 gerekti\u011fini \u00f6nemli \u00f6l\u00e7\u00fcde etkiler.<\/li>\n
  3. Yaln\u0131zca belirli bir puan\u0131n \u00fczerindeki g\u00fcvenlik a\u00e7\u0131klar\u0131na odaklanmak: Bu yakla\u015f\u0131m bazen devlet veya end\u00fcstri d\u00fczenleyicileri taraf\u0131ndan zorunlu k\u0131l\u0131nmaktad\u0131r (\u201cCVSS puan\u0131 8\u2019in \u00fczerinde olan g\u00fcvenlik a\u00e7\u0131klar\u0131n\u0131 bir ay i\u00e7inde giderin\u201d). Sonu\u00e7 olarak, siber g\u00fcvenlik ekipleri, ger\u00e7ekte altyap\u0131lar\u0131n\u0131 daha g\u00fcvenli hale getirmeyen, s\u00fcrekli artan bir i\u015f y\u00fck\u00fcyle kar\u015f\u0131 kar\u015f\u0131ya kalmaktad\u0131r. Her y\u0131l tespit edilen y\u00fcksek CVSS puan\u0131na sahip g\u00fcvenlik a\u00e7\u0131klar\u0131n\u0131n say\u0131s\u0131 son 10 y\u0131lda h\u0131zla artmaktad\u0131r<\/a>.<\/li>\n
  4. K\u00f6t\u00fcye kullanma olas\u0131l\u0131\u011f\u0131n\u0131 de\u011ferlendirmek i\u00e7in CVSS kullanmak: Bu \u00f6l\u00e7\u00fctler aras\u0131nda zay\u0131f bir korelasyon vard\u0131r; kritik g\u00fcvenlik a\u00e7\u0131klar\u0131n\u0131n yaln\u0131zca %17\u2019si<\/a> sald\u0131r\u0131larda kullan\u0131lmaktad\u0131r.<\/li>\n
  5. Sadece CVSS derecelendirmesini kullanmak: CVSS\u2019de standartla\u015ft\u0131r\u0131lm\u0131\u015f vekt\u00f6r dizisi, savunucular\u0131n bir g\u00fcvenlik a\u00e7\u0131\u011f\u0131n\u0131n ayr\u0131nt\u0131lar\u0131n\u0131 anlayabilmeleri ve kendi organizasyonlar\u0131 i\u00e7indeki \u00f6nemini ba\u011f\u0131ms\u0131z olarak hesaplayabilmeleri i\u00e7in tan\u0131t\u0131ld\u0131. CVSS 4.0, ek metrikler kullanarak i\u015f ba\u011flam\u0131n\u0131 hesaba katmay\u0131 kolayla\u015ft\u0131rmak i\u00e7in \u00f6zellikle revize edilmi\u015ftir. Yaln\u0131zca say\u0131sal bir derecelendirmeye dayanan herhangi bir g\u00fcvenlik a\u00e7\u0131\u011f\u0131 y\u00f6netimi \u00e7al\u0131\u015fmas\u0131 b\u00fcy\u00fck \u00f6l\u00e7\u00fcde etkisiz olacakt\u0131r.<\/li>\n
  6. Ek bilgi kaynaklar\u0131n\u0131 g\u00f6z ard\u0131 etmek: Tek bir g\u00fcvenlik a\u00e7\u0131\u011f\u0131 veri taban\u0131na g\u00fcvenmek ve sadece CVSS analizi yapmak yetersizdir. Yamalar, \u00e7al\u0131\u015fan kavram kan\u0131tlar\u0131 ve ger\u00e7ek d\u00fcnyadaki k\u00f6t\u00fcye kullan\u0131m vakalar\u0131 hakk\u0131nda veri olmamas\u0131, g\u00fcvenlik a\u00e7\u0131klar\u0131n\u0131n nas\u0131l ele al\u0131naca\u011f\u0131na karar vermeyi zorla\u015ft\u0131rmaktad\u0131r.<\/li>\n<\/ol>\n

    CVSS bir g\u00fcvenlik a\u00e7\u0131\u011f\u0131 hakk\u0131nda size ne s\u00f6ylemez?<\/h2>\n

    CVSS; bir g\u00fcvenlik a\u00e7\u0131\u011f\u0131n\u0131n ciddiyetini, hangi ko\u015fullar alt\u0131nda k\u00f6t\u00fcye kullan\u0131labilece\u011fini ve savunmas\u0131z bir sistem \u00fczerindeki potansiyel etkisini tan\u0131mlamak i\u00e7in tasarlanm\u0131\u015f bir end\u00fcstri standard\u0131d\u0131r. Ancak, bu a\u00e7\u0131klaman\u0131n (ve CVSS Taban puan\u0131n\u0131n) \u00f6tesinde, kapsamad\u0131\u011f\u0131 \u00e7ok \u015fey vard\u0131r:<\/p>\n