Security News > 2023 > July > Relying on CVSS alone is risky for vulnerability management
A vulnerability management strategy that relies solely on CVSS for vulnerability prioritization is proving to be insufficient at best, according to Rezilion.
Relying solely on a CVSS severity score to assess the risk of individual vulnerabilities was shown to be equivalent to randomly selecting vulnerabilities for remediation.
Throughout the new research, Rezilion's vulnerability researchers unveiled more than 30 actively exploited vulnerabilities with a high EPSS score that were not listed in the CISA KEV catalog, highlighting the coverage gap within the CISA KEV catalog.
"These findings accentuate the need for considering more than just one metric for effective vulnerability management," said Yotam Perkal, Director of Vulnerability Research with Rezilion.
The KEV catalog alone is insufficient due to the delay in adding newly discovered vulnerabilities.
A patching strategy that considers CVSS, internal environment context, and additional threat intelligence sources such as CISA KEV combined with EPSS, can assist organizations in making informed, risk-based vulnerability management decisions and improve the overall security posture of their organization.
News URL
https://www.helpnetsecurity.com/2023/07/31/cvss-vulnerability-strategy/