Art Manion, Principal Engineer at the CERT Coordination Center, joins Jake Kouns, General Manager of Risk Based Security at Flashpoint to talk about vulnerability prioritization, CVSSv4, and how organizations can cope with the increasing number of vulnerability disclosures.
Vulnerabilities are not slowing down. Our VulnDB team aggregated 17,129 vulnerabilities disclosed during the first three quarters of 2020, marking a 4.6% gap when compared to last year. However, earlier in 2020 that gap was instead a sharp decline of 19.2%.
One of the main factors responsible for the rapidly closing gap are the Vulnerability Fujiwhara events and increasing Patch Tuesday releases. With the deluge of vulnerabilities hitting vulnerability management teams, it can be hard to keep up. What can organizations do?
Show notes
0:15 – Speaker introduction
1:30 – Rate of vulnerability disclosures in 2020
2:54 – CVSSv3 and how it has been working out
4:03 – CVSSv2 vs. v3 and maintain both versions
5:16 – Development of CVSSv4
5:38 – SSVC and what’s on the horizon
16:12 – Why vulnerability prioritization is so critical
21:17 – “Is it 0-day or 0-care”: thoughts from DEF CON 19 Panel
25:52 – New FIRST special interest group (SIG): Exploit Prediction Scoring System (EPSS)
30:38 – Predicting vulnerabilities
33:50 – Advice for companies starting to mature their vulnerability management programs
37:22 – Reactions to testimony regarding complex cybersecurity vulnerabilities before the US Senate Committee on Commerce, Science, and Transportation July 11, 2018
40:59 – VINCE (Vulnerability Information and Coordination Environment): coordinated vulnerability disclosure web platform
44:30 – Closing thoughts and prediction on vulnerability disclosures in 2021
Further reading
- Prioritizing Vulnerability Response with a Stakeholder-Specific Vulnerability Categorization (SSVC)
- Flashpoint’s CVSSv3 Article Series
- The Vulnerability Fujiwhara Effect
- DEFCON 19: Panel: Is it 0-day or 0-care?
- Exploit Predicting Scoring System
- Hearing on “Complex Cybersecurity Vulnerabilities: Lessons Learned from Spectre and Meltdown” Written Testimony of Art Manion
- Software Engineering Institute Vulnerability Information and Coordination Environment (VINCE)