CISA KEV has been a very useful tool for vulnerability exploitability information for traditional patching and vulnerability management. But does it work with Application security?

In this analysis, I wanted to explore what elements part of Application security (libraries and similar) are usable from application security. The research also shows that amongst the number of high exploitable vulnerabilities in the list with only 42% are highly exploited in the wild, according to EPSS data cross references with CISA KEV. 

As cybersecurity experts, we are constantly bombarded with vulnerable data. It is essential to keep on top of the latest available data. 

For this research, we have used.

• CVE/MITRE data: 
• CISA KEV Data: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json 
• Enrichment data from http://cve.circl.lu/
• EPSS Data from: https://api.first.org/data/v1/ 

One such tool recently gaining popularity is the Common Vulnerabilities and Exposures (CVE) program from the Cybersecurity and Infrastructure Security Agency (CISA). However, more than relying on the CISA KEV program as a decision point is required regarding application security.

The CISA KEV program is an excellent tool for traditional vulnerability management but falls short regarding application security. According to research data, only 3% of CVEs in the database are related to application security libraries and other application security issues. This means that the program provides limited information on the vulnerabilities present in the application code and fails to address the root cause of many potential security breaches.

Even filtering out the top vulnerability data using EPSS and prioritisation based on EPSS, the top vulnerable products remain off-the-shelf, whereas Microsoft, adobe and others are the top vulnerable.

According to recent cross-reference data between EPSS and CISA KEV, 58% of CVEs in the CISA KEV database have a low exploitability score from EPSS, meaning they are less likely to be exploited in the wild. Only 42% of CVEs have a high exploitability score, indicating that they are more likely to be exploited in the wild. The EPSS system measures the likelihood of a vulnerability being exploited in the wild.  

Regulation is linked to CISA-Kev, and exploitability vs EPSS data is not mutually exclusive. Both parameters are essential in deciding whether to prioritize one vulnerability instead of the other. 

 While this system is helpful, it must provide more information to make informed decisions about application security.

Other elements to consider when evaluating the exploitability data is the local context, the externality of the systems/apps, the age of the vulnerabilities and more.

Number of vendors (right) with the number of mentions of CISA KEV) and on the right the number of CVE with High Exploitability values. The numbers on the Risght display the total number of high exploitable rates CVE per vendor.

This tool provides more information on the probability of exploitation and the potential impact of a vulnerability. It considers factors such as the prevalence of the vulnerability across the organization, the ease of exploitability, and the potential impact of a breach. Using the EPSS system in combination with the CISA KEV program provides a more comprehensive view of application security vulnerabilities and allows organizations to make informed decisions about where to focus their resources.

Please note that this table is not comprehensive and many more software libraries have known vulnerabilities.

However, it’s important to note that relying on either CISA or EPSS as a decision point should not be isolated. Instead, a multi-faceted approach that considers all aspects of application security is necessary to protect the organisation. This approach should include regular vulnerability scanning, penetration testing, secure coding practices, and continuous application environment monitoring.

In conclusion, while the CISA program is an essential tool for traditional vulnerability management, it needs to catch up when it comes to application security. Organizations must look beyond the CISA program and use tools such as EPSS in combination with it to get a more comprehensive view of application security vulnerabilities. Additionally, a multi-faceted approach that includes regular vulnerability scanning, penetration testing, secure coding practices, and continuous monitoring is necessary to protect the organisation from potential security breaches.

Future Work

If your organization is actively using sbom declaration, you could pivot on the product id/CPE id and see if you are using any of the vulnerable libraries or products in the CISA KEV database. 

Conclusions

In conclusion, CISA Kev is a useful tool to prioritize traditional software and O/S vulnerabilities, while only for a small percentage has it proven useful to prioritize software products. EPSS data and other Cyber Threat Intel have proven more effective in prioritizing application security vulnerabilities. Product-based view and Impact analysis have also proven to be effective in prioritizing the application security vulnerabilities from a risk-based perspective. 

How Phoenix Security Can Help:

Phoenix Security is a platform that collects information from various sources, contextualizes, and prioritizes vulnerabilities from code to the cloud.

If you want to know more about Phoenix security and doing vulnerability management at scale, contact us https://phoenix.security/request-a-demo/ 

Phoenix Security Enables the automatic integration of EPSS and CISA KEV alerts in your assets and vulnerability Set to give you always the most up-to-date list of vulnerabilities to fix first. Having the selection based on EPSS and CISA KEV puts you in the best position to decide how to prioritize the vulnerabilities accordingly.

Using Chat GPT for data analsys 

I’ve tried using some reference data for chat GPT for this research, and currently, Chat GPT seems to receive incorrect data. Below is some data and correctness vs error rate

When asked the question, the majority of answers were incorrect. Always trust a secondary source of data when looking at Vulnerabilities.