Vulnerability Prioritization and Disclosure – The Right Security
December 15, 2020 • RBS
Art Manion, Principal Engineer at the CERT Coordination Center, joins Jake Kouns, CEO and CISO at Risk Based Security to talk about vulnerability prioritization, CVSSv4, and how organizations can cope with the increasing number of vulnerability disclosures.
Vulnerabilities are not slowing down. Our VulnDB team aggregated 17,129 vulnerabilities disclosed during the first three quarters of 2020, marking a 4.6% gap when compared to last year. However, earlier in 2020 that gap was instead a sharp decline of 19.2%.
One of the main factors responsible for the rapidly closing gap are the Vulnerability Fujiwhara events and increasing Patch Tuesday releases. With the deluge of vulnerabilities hitting vulnerability management teams, it can be hard to keep up. What can organizations do?
0:15 – Speaker Introduction
1:30 – Rate of vulnerability disclosures in 2020
2:54 – CVSS v3 and how it has been working out
4:03 – CVSS v2 vs. CVSS v3 and maintain both versions
5:16 – Development of CVSS v4
5:38 – SSVC and what’s on the horizon
16:12 – Why vulnerability prioritization is so critical
21:17 – “Is it 0-day or 0-care”: thoughts from DEF CON 19 Panel
25:52 – New FIRST special interest group (SIG): Exploit Prediction Scoring System (EPSS)
30:38 – Predicting vulnerabilities
33:50 – Advice for companies starting to mature their vulnerability management programs
37:22 – Reactions to testimony regarding complex cybersecurity vulnerabilities before the U.S. Senate Committee on Commerce, Science, and Transportation July 11, 2018
40:59 – VINCE (Vulnerability Information and Coordination Environment): coordinated vulnerability disclosure web platform
44:30 – Closing thoughts and prediction on vulnerability disclosures in 2021
- Prioritizing Vulnerability Response with a Stakeholder-Specific Vulnerability Categorization (SSVC)
- Risk Based Security’s CVSSv3 Article Series
- The Vulnerability Fujiwhara Effect
- DEFCON 19: Panel: Is it 0-day or 0-care?
- Exploit Predicting Scoring System
- Hearing on “Complex Cybersecurity Vulnerabilities: Lessons Learned from Spectre and Meltdown” Written Testimony of Art Manion
- Software Engineering Institute Vulnerability Information and Coordination Environment (VINCE)
The Right Security
This is the latest in our video series The Right Security, in which we talk with leaders and veterans in the security industry, tackling the biggest issues impacting organizations today.