When it comes to vulnerability triage, ditch CVSS and prioritize exploitability

2021-02-10 06:00

Automated vulnerability reports generated by scanning tools are returning hundreds, if not thousands of vulnerabilities, and with a great deal of organizations reporting a lack of skilled cybersecurity professionals, teams are already stretched too thin to fix each one.

In an effort to resolve this, developers and security professionals have traditionally relied on vulnerability scoring systems to help them prioritize the most critical flaws and streamline remediation efforts.

To attempt to filter through these large data sets, developers conduct vulnerability triage where they categorize the flaws that have been detected in order of risk they pose to an application's security or functionality.

Don't be a foo() when it comes to vulnerability remediation.

Rather than focusing on severity as determined by CVSS scoring, developers should prioritize vulnerabilities by focusing on the potential path they offer for exploitability.

While these tools serve a valuable purpose, vulnerability triage is equally essential in software development where agility can either be lost or gained.

News URL

http://feedproxy.google.com/~r/HelpNetSecurity/~3/W6LdlgEtXJY/

#CVS #vulnerability