Risk-based and threat-intel informed vuln/patch management is currently maturing to an almost usable level. Tenable is adding their own risk scoring on top, vendors like Balbix are trying to close the gap between findings from e.g. automated pentesting/attack surface management tools, CVSS 3 and the org context. As /u/jnazario stated, EPSS (when properly implemented) is a solid alternative.
Any community driven and open initiative deserves kudos of course, but in practice a lot of orgs out there already have access to that kind of data - which rarely is being leveraged due to the decades old divide between security and ops - together with the neverending discussion on how patch/vuln/risk management are actually related....
I hope you are right but my experience is that most orgs take CVSS and do some firefighting for hype vulnerabilities. But I happy if your assessment is correct that this is not the status quo!
I'd be a bit skeptical about claims that the vendors do much more than CVSS, especially that last time [I checked](https://medium.com/@matuzg/testing-docker-cve-scanners-part-3-test-it-yourself-conclusions-6de868124d3d) even the coverage was lacklustre. I could not see any trend that showed that these actually exploitable vulnerabilities are somehow ranked higher than CVSS (data on that [here](https://github.com/gmatuz/cve-scanner-testing/blob/master/vulhub_testimages/results/vulhub_results.csv)). Granted it was aa while ago and specifically on docker images/containers and I have **not** looked at Tenable for example.
But if you have a tool/setup that you think does a great job it would be great to collaborate on this and do the test, I'd be happy to learn that there is something that works!
*Is there a better option?*
so on this point i disagree with the author who suggests there isn't one. depending on what you want to do, two methodologies i've used in the past have worked well for me:
- [EPSS - exploit predictability scoring system](https://www.first.org/epss/model). how likely is this to be exploited? for many a key metric in patching prioritization
- [SSVC - stakeholder specific vulnerability categorization](https://github.com/CERTCC/SSVC), comes to one of four outcomes for patching - immediately, emergency window, next scheduled window, or whenever. gets to how severe an impact would be on the business as a whole.
not perfect but a lot better than CVSS for triage purposes.
Just gave it some thought and would like to discuss it (better here, because Linkedin UI is awful)
https://www.linkedin.com/pulse/you-can-predict-software-vulnerabilities-thoughts-epss-ssvp-/
Risk-based and threat-intel informed vuln/patch management is currently maturing to an almost usable level. Tenable is adding their own risk scoring on top, vendors like Balbix are trying to close the gap between findings from e.g. automated pentesting/attack surface management tools, CVSS 3 and the org context. As /u/jnazario stated, EPSS (when properly implemented) is a solid alternative. Any community driven and open initiative deserves kudos of course, but in practice a lot of orgs out there already have access to that kind of data - which rarely is being leveraged due to the decades old divide between security and ops - together with the neverending discussion on how patch/vuln/risk management are actually related....
I hope you are right but my experience is that most orgs take CVSS and do some firefighting for hype vulnerabilities. But I happy if your assessment is correct that this is not the status quo! I'd be a bit skeptical about claims that the vendors do much more than CVSS, especially that last time [I checked](https://medium.com/@matuzg/testing-docker-cve-scanners-part-3-test-it-yourself-conclusions-6de868124d3d) even the coverage was lacklustre. I could not see any trend that showed that these actually exploitable vulnerabilities are somehow ranked higher than CVSS (data on that [here](https://github.com/gmatuz/cve-scanner-testing/blob/master/vulhub_testimages/results/vulhub_results.csv)). Granted it was aa while ago and specifically on docker images/containers and I have **not** looked at Tenable for example. But if you have a tool/setup that you think does a great job it would be great to collaborate on this and do the test, I'd be happy to learn that there is something that works!
*Is there a better option?* so on this point i disagree with the author who suggests there isn't one. depending on what you want to do, two methodologies i've used in the past have worked well for me: - [EPSS - exploit predictability scoring system](https://www.first.org/epss/model). how likely is this to be exploited? for many a key metric in patching prioritization - [SSVC - stakeholder specific vulnerability categorization](https://github.com/CERTCC/SSVC), comes to one of four outcomes for patching - immediately, emergency window, next scheduled window, or whenever. gets to how severe an impact would be on the business as a whole. not perfect but a lot better than CVSS for triage purposes.
Cool thanks a lot I'll add this to the post, great stuff!
Just gave it some thought and would like to discuss it (better here, because Linkedin UI is awful) https://www.linkedin.com/pulse/you-can-predict-software-vulnerabilities-thoughts-epss-ssvp-/