How to prioritize vulnerabilities.

Security is constantly moving, and a secure system today might be vulnerable tomorrow—even without any changes or updates. 

Vulnerabilities can emerge and be identified at any point during the lifespan of an open-source component. When a vulnerability in such a component is publicly disclosed, and that component is part of your software, it becomes urgent to decide on a remediation strategy.

For most organizations, the challenge lies in the sheer volume of vulnerabilities surpassing the resources available for their management. Therefore, establishing a risk-based prioritization process is essential. This approach involves tools automatically detecting vulnerabilities, collecting related data, and providing prioritization mechanisms to support the assessment of vulnerabilities. Based on the level of risk they pose to your business and your clients, ensure that the most critical issues are addressed first. Here are seven key areas to include in the assessment: validity, severity, exploitabilityimpactasset value, threat intelligence, and ease of remediation

Validity

Algorithms matching the component names, versions, and platform/vendors with vulnerability data feeds will now and then make mistakes and falsely label components vulnerable. Suppose your tool can prevent an alert from creating noise by appearing again. In that case, it may be better with some false positives than being too rigid regarding input data and not detecting an existing weakness. 

So, the first step is to check that the vulnerability warning is valid.

Severity

The severity is often determined using tools like the Common Vulnerability Scoring System (CVSS). It is the primary indicator to determine the severity of a vulnerability, providing a first impression of how quickly an organization should react. A CVE announcement from the data feed comes with a CVSS base metric score (0-10) created in a standardized process to assess vulnerabilities. The score may be locally modified with additional temporal and environmental metric scores.

But, relying solely on the CVSS is not sufficient. Decisions are not numbers. In parallel, it’s essential to consider many factors that contribute to a more holistic review of a vulnerability’s impact and urgency. 

Exploitability

How easily and likely do potential attackers exploit a vulnerability? A first assessment is already determined as part of the CVSS scoring value. But there are several other factors to include, like the availability of Proof of Concept (PoC) exploit code, if the vulnerability already has been exploited (verified), the complexity required, or if the exploit is automatable. Or, perhaps one of the most critical factors, the potential rewards an attacker might get from the exploitation.

Additional data on the likelihood of exploitation can be gathered from the EPSS model, providing valuable insight into the current status when prioritizing. The occurrence of threat intelligence information is also an important indicator when assessing the vulnerability.

Impact

What are the potential consequences for your business if a vulnerability is exploited, including data breaches, downtime, reputational damage, financial loss, and more? Understanding the possible effects will help in the prioritization process. 

Implementing and setting an impact value can help with individual prioritizations among many vulnerabilities. Impact value ranges, such as low to very high, can be helpful.

Asset Value

Not all assets in an organization have the same value. Recognizing the distinct importance and value of each asset is crucial. Is a business-critical database at stake, or the control of critical infrastructure, or is it the booking system for the gym? Such a targeted approach enhances the efficiency of the prioritization and the organization’s overall cybersecurity strategy.

Threat Intelligence

Threat and Vulnerability Intelligence adds an extra layer to the exploitation information pattern. Data about activities, attacks, and threats from credible sources can offer insights into the probability of an emerging aggression. Collecting threat intelligence data becomes more and more crucial. Data may be retrieved from various sources, including government agencies, private sector organizations, and open-source communities. 

Ease of remediation

Suppose you can update the vulnerable component in your software build without delays, compatibility, or dependency problems or upgrade or patch your affected systems without uncertainties. In that case, it may be the most efficient way to prioritize: no analyzing, no further collecting of data, not anything but doing the upgrade/patch—all the work of releasing new versions and sharing information is yours regardless.


In summary, prioritizing and making decisions about remediating vulnerable components and systems is a continuous task involving multiple parts of your organization, consuming time and money. It’s work you cannot escape, but with the proper tooling and automation, you can improve the efficiency to minimize risk and cost.


SBOM Central provides a user-friendly service for managing, monitoring, and sharing your SBOMs. It efficiently identifies and notifies you of vulnerabilities, exploits, and other security concerns while conducting ongoing scans for software updates, licensing compliance, and various health indicators.