* Posts by HammeringRows

1 publicly visible post • joined 7 Nov 2019

We're almost into the third decade of the 21st century and we're still grading security bugs out of 10 like kids. Why?


A threat centric approach

This is a bit of an out of date perspective, talking about a problem that already has solutions. Multiple approaches for improving prioritisation of vulnerabilities already exist that augment CVSS's lack of real world information on the probability a vulnerability is and will be exploited. Tenable has "Predictive Prioritization" in their enterprise products and Kenna's "Prediction Model" is available to sit on top of other VM vendors data, both of which use ML to understand the likelihood of exploitation, irrelevant of the CVSS base and temporal metrics, to better focus on the small handful of vulnerabilities that will be leveraged versus the massive amount disclosed but will never be favoured by attackers.

It's not the scale that's the problem, it's the lack of real world context.