Sign up to save your podcasts
Or
Share The Reality of AppSec Risk Management using CVEs and CVSS scores
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
The Reality of AppSec Risk Management using CVEs and CVSS scores
Many organizations treat Common Vulnerability Enumerations or CVEs as first class citizens. Some even enforce strict SLAs on CVE remediation times depending on their severity scores expressed with the CVSS metric.
The numbers make sense as they are built on top of real and hard data. Moreover, attackers also have access to this data, so building your complete strategy around vulnerability dashboards makes absolute sense.
However from a scientific perspective there are (at least) 2 key questions to investigate. First of all, do all CVEs represent actual security problems that need to be addressed? Secondly, do all critical severity CVEs equal high risk and need to be addressed immediately?
In this episode of AppSec Science I zoom in into the science of CVEs and their CVSS impact scores.
View all episodes
By Dag FlachetMany organizations treat Common Vulnerability Enumerations or CVEs as first class citizens. Some even enforce strict SLAs on CVE remediation times depending on their severity scores expressed with the CVSS metric.
The numbers make sense as they are built on top of real and hard data. Moreover, attackers also have access to this data, so building your complete strategy around vulnerability dashboards makes absolute sense.
However from a scientific perspective there are (at least) 2 key questions to investigate. First of all, do all CVEs represent actual security problems that need to be addressed? Secondly, do all critical severity CVEs equal high risk and need to be addressed immediately?
In this episode of AppSec Science I zoom in into the science of CVEs and their CVSS impact scores.