[BreachExchange] Vulnerability Prioritization and Disclosure – The Right Security

Wed Dec 16 10:45:50 EST 2020

https://www.riskbasedsecurity.com/2020/12/15/vulnerability-prioritization-and-disclosure-the-right-security/

Video Interview: https://youtu.be/o58wvnBqAyE

Art Manion, Principal Engineer at the CERT Coordination Center
<https://kb.cert.org/vuls/>, joins Jake Kouns, CEO and CISO at Risk Based
Security to talk about vulnerability prioritization, CVSSv4, and how
organizations can cope with the increasing number of vulnerability
disclosures
<https://pages.riskbasedsecurity.com/en/en/2020-q3-vulnerability-quickview-report>
.

Vulnerabilities are not slowing down. Our VulnDB team aggregated 17,129
vulnerabilities
<https://www.riskbasedsecurity.com/2020/12/09/new-research-2020-vulnerabilities-on-target-to-match-or-exceed-last-year/>
disclosed
during the first three quarters of 2020, marking a 4.6% gap when compared
to last year. However, earlier in 2020 that gap was instead a sharp decline
of 19.2%.

One of the main factors responsible for the rapidly closing gap are
the Vulnerability
Fujiwhara
<https://www.riskbasedsecurity.com/2020/01/08/2020-the-vulnerability-fujiwhara-effect-oracle-and-microsoft-collide/>
events
and increasing Patch Tuesday releases. With the deluge of vulnerabilities
hitting vulnerability management teams, it can be hard to keep up. What can
organizations do?
Show Notes

0:15 – Speaker Introduction
1:30 – Rate of vulnerability disclosures in 2020
2:54 – CVSS v3 and how it has been working out
4:03 – CVSS v2 vs. CVSS v3 and maintain both versions
5:16 – Development of CVSS v4
5:38 – SSVC and what’s on the horizon
16:12 – Why vulnerability prioritization is so critical
21:17 – “Is it 0-day or 0-care”: thoughts from DEF CON 19 Panel
25:52 – New FIRST special interest group (SIG): Exploit Prediction Scoring
System (EPSS)
30:38 – Predicting vulnerabilities
33:50 – Advice for companies starting to mature their vulnerability
management programs
37:22 – Reactions to testimony regarding complex cybersecurity
vulnerabilities before the U.S. Senate Committee on Commerce, Science, and
Transportation July 11, 2018
40:59 – VINCE (Vulnerability Information and Coordination Environment):
coordinated vulnerability disclosure web platform
44:30 – Closing thoughts and prediction on vulnerability disclosures in 2021
FURTHER READING:

   - Prioritizing Vulnerability Response with a Stakeholder-Specific
   Vulnerability Categorization
   <https://insights.sei.cmu.edu/cert/2019/12/prioritizing-vulnerability-response-with-a-stakeholder-specific-vulnerability-categorization.html>
    (SSVC)
   - Risk Based Security’s CVSSv3 Article Series
   <https://www.riskbasedsecurity.com/2017/01/05/cvssv3-newer-is-better-right/>
   - The Vulnerability Fujiwhara Effect
   <https://www.riskbasedsecurity.com/2020/01/08/2020-the-vulnerability-fujiwhara-effect-oracle-and-microsoft-collide/>
   - DEFCON 19: Panel: Is it 0-day or 0-care?
   <https://www.youtube.com/watch?v=71Hb6pqIzXE&t=33s>
   - Exploit Predicting Scoring System <https://www.first.org/epss/>
   - Hearing on “Complex Cybersecurity Vulnerabilities: Lessons Learned
   from Spectre and Meltdown” Written Testimony of Art Manion
   <https://www.commerce.senate.gov/services/files/48b3bb9c-570e-4c82-b85e-1b1f017a19ab>

   - Software Engineering Institute  Vulnerability Information and
   Coordination Environment <https://www.kb.cert.org/vince/> (VINCE)

The Right Security

This is the latest in our video series The Right Security, in which we talk
with leaders and veterans in the security industry, tackling the biggest
issues impacting organizations today.

Check out The Right Security series
<https://www.youtube.com/playlist?list=PLkV2qhiMyRKspi14k6qALEGirECTVRHp9> on
YouTube, and subscribe to the Risk Based Security channel
<https://www.youtube.com/user/riskbased> to see new episodes in your feed.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20201216/b81d91d6/attachment.html>