Sven Ruppert

What is the Common Vulnerability Scoring System (CVSS), who is behind it, what are we doing with it, and what does a CVSS Value mean for you?

With CVSS, we have a value system for evaluating security gaps in software. Since there are no alternatives, the system has been in use worldwide for over ten years and is constantly being developed, it is a defacto standard.

The evaluation consists of three components.

Again and again, we read in the IT news about new security gaps that have been identified.

Most of the time, you don’t even hear or read anything about all the security holes found that are not as well known as the SolarWinds Hack, for example.

But what is the typical lifecycle of such a security gap?

At this point, we have seen how you can achieve a more robust variant of a composition by delegation rather than inheritance.

You can also use this if you are confronted with legacy source codes with this anti-pattern.

It’s not always possible to clean up everything or change it to the last detail.

But I hope this has given an incentive to approach this situation.

Even as a software developer, you will often hear this phrase during meetings with the company’s management and sales part. The phrase is called “Make or Buy”. Typically, we have to decide if we want to do something ourselves or spend money to buy the requested functionality. It could be less or more functionality or different so that we have to adjust ourself to use it in our context.

But as a software developer, we have to deal with the same question every day. I am talking about dependencies. Should we write the source code by ourselves or just adding the next dependencies? Who will be responsible for removing bugs, and what is the total cost of this decision? But first, let’s take a look at the make-or-buy association inside the full tech-stack.