When it comes to vulnerability triage, ditch CVSS and prioritize exploitability - Help Net Security

When it comes to vulnerability triage, ditch CVSS and prioritize exploitability - Help Net Security

When it comes to software security, one of the biggest challenges facing developers today is information overload. Thanks in part to the widespread proliferation and use of open-source code (a study by Red Hat showed that 36% of software in use at surveyed organizations was open source), as well as the increasing complexity of the average application, a given project can now be expected to have a massive amount of dependencies. In turn, each of these dependencies represents a potential opportunity for a vulnerability to arise if not properly secured.



Owing to this state of affairs, developers face a new challenge. Automated vulnerability reports generated by scanning tools are returning hundreds, if not thousands of vulnerabilities, and with a great deal of organizations reporting a lack of skilled cybersecurity professionals, teams are already stretched too thin to fix each one. The prospect of quickly remediating every single vulnerability identified by a scan is unfeasible.


In an effort to resolve this, developers and security professionals have traditionally relied on vulnerability scoring systems to help them prioritize the most critical flaws and streamline remediation efforts. And while this is a good way to get software out the door faster with fewer vulnerabilities, this methodology is too simplistic. Exploitability is a much more important benchmark when it comes to triaging efforts.


Why legacy scoring systems are no longer sufficient


The large number of vulnerabilities returned by automated scans is not a new problem. In fact, it is commonly cited by developers as an obstacle to security. To attempt to filter through these large data sets, developers conduct vulnerability triage where they categorize the flaws that have been detected ..