December 15, 2020 • RBS

Art Manion, Principal Engineer at the CERT Coordination Center, joins Jake Kouns, CEO and CISO at Risk Based Security to talk about vulnerability prioritization, CVSSv4, and how organizations can cope with the increasing number of vulnerability disclosures.

Vulnerabilities are not slowing down. Our VulnDB team aggregated 17,129 vulnerabilities disclosed during the first three quarters of 2020, marking a 4.6% gap when compared to last year. However, earlier in 2020 that gap was instead a sharp decline of 19.2%.

One of the main factors responsible for the rapidly closing gap are the Vulnerability Fujiwhara events and increasing Patch Tuesday releases. With the deluge of vulnerabilities hitting vulnerability management teams, it can be hard to keep up. What can organizations do?

Show Notes

0:15 – Speaker Introduction 
1:30 – Rate of vulnerability disclosures in 2020
2:54 – CVSS v3 and how it has been working out
4:03 – CVSS v2 vs. CVSS v3 and maintain both versions
5:16 – Development of CVSS v4
5:38 – SSVC and what’s on the horizon
16:12 – Why vulnerability prioritization is so critical
21:17 – “Is it 0-day or 0-care”: thoughts from DEF CON 19 Panel
25:52 – New FIRST special interest group (SIG): Exploit Prediction Scoring System (EPSS)
30:38 – Predicting vulnerabilities
33:50 – Advice for companies starting to mature their vulnerability management programs
37:22 – Reactions to testimony regarding complex cybersecurity vulnerabilities before the U.S. Senate Committee on Commerce, Science, and Transportation July 11, 2018
40:59 – VINCE (Vulnerability Information and Coordination Environment): coordinated vulnerability disclosure web platform
44:30 – Closing thoughts and prediction on vulnerability disclosures in 2021

Further Reading:

The Right Security

This is the latest in our video series The Right Security, in which we talk with leaders and veterans in the security industry, tackling the biggest issues impacting organizations today.

Check out The Right Security series on YouTube, and subscribe to the Risk Based Security channel to see new episodes in your feed.

Our products
The Platform
Risk Based Intelligence
Learn more
Vulnerability Intelligence
Learn more
Cyber Risk Analytics
Threat Intelligence
Learn more
Risk Management
Learn more