blog

Is CISA KEV applicable to application security? A study with EPSS 

CISA KEV Appsec

CISA KEV has been a handy tool for vulnerability exploitability information for traditional patching and vulnerability management. But does it work with Application security? Let’s analyse the data leveraging EPSS threat intelligence data

What are the most vulnerable product in CISA KEV Database

In this analysis, I wanted to explore what elements of Application security (libraries and similar) are usable from application security. The research also shows that amongst the number of highly exploitable vulnerabilities in the list, only 42% are highly exploited in the wild, according to EPSS data cross references with CISA Exploitable List. 

CISA KEV Appsec EPSS
CISA KEV Appsec EPSS

As cybersecurity experts, we are constantly bombarded with vulnerable data. It is essential to keep on top of the latest available data. 

For this research, we have used.

One such tool recently gaining popularity is the Common Vulnerabilities and Exposures (CVE) program from the Cybersecurity and Infrastructure Security Agency (CISA). However, more than relying on the CISA Known Exploitable Vulnerability program as a decision point is required regarding application security.

Can you use CISA KEV for Application Security?

Appsec CISA Kev vulnerability Set EPSS

The CISA program is an excellent tool for traditional vulnerability management but falls short regarding application security. According to research data, only 3% of CVEs in the database are related to application security libraries and other application security issues. This means that the program provides limited information on the vulnerabilities present in the application code and fails to address the root cause of many potential security breaches.

Top vulnerable product CISA KEV Appsec EPSS
Top vulnerable product CISA KEV Appsec EPSS

The top vulnerable products remain off-the-shelf even filtering out the top vulnerability data using EPSS and prioritisation based on EPSS. In contrast, Microsoft, Adobe and others are the top vulnerable.

According to recent cross-reference data between EPSS and CISA KEV, 58% of CVEs inKEVdatabase have a low exploitability score from EPSS, meaning they are less likely to be exploited in the wild. Only 42% of CVEs have a high exploitability score, indicating that they are more likely to be exploited in the wild. The EPSS system measures the likelihood of a vulnerability being exploited in the wild.  

Note for this analysis, we referenced Vulnerabilities with EPSS value > 0.8

Regulation is linked to KEV, and exploitability vs EPSS data is not mutually exclusive. Both parameters are essential in deciding whether to prioritize one vulnerability instead of the other. 

 While this system is helpful, it must provide more information to make informed decisions about application security.

Other elements to consider when evaluating the exploitability data is the local context, the externality of the systems/apps, the age of the vulnerabilities and more.

The image below represents the number of vendors (right) with the number of mentions in the KEV) and the number of CVEs with High Exploitability values on the right. The numbers on the Risght display the total number of high exploitable rates CVE per vendor.

This tool provides more information on the probability of exploitation and the potential impact of a vulnerability. It considers factors such as the prevalence of the vulnerability across the organization, the ease of exploitability, and the potential impact of a breach. Using the EPSS system in combination with the CISA program provides a more comprehensive view of application security vulnerabilities. It allows organizations to make informed decisions about where to focus their resources.

VendorSoftwareCVE IDs
ApacheStruts 2CVE-2017-5638, CVE-2018-11776
EclipseJettyCVE-2019-0193, CVE-2019-0194, CVE-2019-0195
GoogleAndroidCVE-2019-2215, CVE-2020-0104, CVE-2020-0423
Microsoft.NET FrameworkCVE-2020-0605, CVE-2020-0606, CVE-2020-1108
OracleJavaCVE-2019-2699, CVE-2020-14756, CVE-2021-2163
OpenSSLOpenSSLCVE-2018-0739, CVE-2019-1551, CVE-2021-23840
PHPPHPCVE-2018-14883, CVE-2019-11043, CVE-2020-7066
PythonDjangoCVE-2019-14232, CVE-2019-19844, CVE-2020-24583

This table is incomplete, and many more software libraries have known vulnerabilities.

However, it’s important to note that relying on either CISA or EPSS as a decision point should not be isolated. Instead, a multi-faceted approach that considers all aspects of application security is necessary to protect the organisation. This approach should include regular vulnerability scanning, penetration testing, secure coding practices, and continuous application environment monitoring.

In conclusion, while the CISA program is an essential tool for traditional vulnerability management, it must catch up regarding application security. Organizations must look beyond the CISA program and use tools such as EPSS in combination with it to get a more comprehensive view of application security vulnerabilities. Additionally, a multi-faceted approach that includes regular vulnerability scanning, penetration testing, secure coding practices, and continuous monitoring is necessary to protect the organisation from potential security breaches.

Future Work

If your organization is actively using sbom declaration, you could pivot on the product id/CPE id and see if you are using any vulnerable libraries or products in the CISA KEV database. 

Conclusions

In conclusion, CISA Kev is a useful tool to prioritize traditional software and O/S vulnerabilities, while only a small percentage has it proven useful to prioritize software products. EPSS data and other Cyber Threat Intel have proven more effective in prioritizing application security vulnerabilities. Product-based view and Impact analysis have also proven to be effective in prioritizing the application security vulnerabilities from a risk-based perspective. 

Using Chat GPT for data analsys 

I’ve tried using some reference data for chat GPT for this research, and currently, Chat GPT seems to receive incorrect data. Below is some data and correctness vs error rate

When asked the question, the majority of answers were incorrect. Always trust a secondary source of data when looking at Vulnerabilities.

VendorSoftwareCVEExploitability Score
ApacheStruts 2CVE-2017-56380.975650
ApacheTomcatCVE-2017-126150.974990
ApacheTomcatCVE-2017-12616NOT in CISA
ApacheTomcatCVE-2020-9484NOT in CISA
EclipseJettyCVE-2015-2080NOT in CISA
GoogleAngularJSCVE-2019-7339NOT in CISA
GoogleAngularJSCVE-2019-72380.973960
GoogleAngularJSCVE-2019-6975NOT in CISA
GoogleAngularJSCVE-2018-11360NOT in CISA
GoogleAngularJSCVE-2016-6986NOT in CISA
GoogleGuavaCVE-2018-10237NOT in CISA
GoogleGuavaCVE-2018-10238NOT in CISA
GoogleGuavaCVE-2018-10239NOT in CISA
GoogleGuavaCVE-2018-10240NOT in CISA
GoogleGuavaCVE-2018-10241NOT in CISA
GoogleGuavaCVE-2018-10242NOT in CISA
GoogleGuavaCVE-2018-10243NOT in CISA
GoogleGuavaCVE-2018-10244NOT in CISA
JetBrainsIntelliJ IDEACVE-2019-14893NOT in CISA
JetBrainsIntelliJ IDEACVE-2019-14894NOT in CISA
JetBrainsTeamCityCVE-2019-15843NOT in CISA
JetBrainsTeamCityCVE-2019-16877NOT in CISA
JetBrainsTeamCityCVE-2020-14198NOT in CISA
Microsoft.NET FrameworkCVE-2020-0605NOT in CISA
Microsoft.NET FrameworkCVE-2020-0606NOT in CISA
Microsoft.NET FrameworkCVE-2020-06460.974890
Microsoft.NET FrameworkCVE-2020-0608NOT in CISA KEV
MicrosoftASP.NETCVE-2019-1075NOT in CISA KEV
MicrosoftASP.NETCVE-2019-1076NOT in CISA KEV
MicrosoftASP.NETCVE-2019-1077NOT in CISA KEV
MicrosoftASP.NETCVE-2019-1078NOT in CISA KEV
MicrosoftASP.NETCVE-2019-1079NOT in CISA KEV
MicrosoftSharePointCVE-2020-0615NOT in CISA KEV
MicrosoftSharePointCVE-2020-0616NOT in CISA KEV
MicrosoftSharePointCVE-2020-0617NOT in CISA KEV
MicrosoftSharePointCVE-2020-0618NOT in CISA KEV
MicrosoftSharePointCVE-2020-0619NOT in CISA KEV
MicrosoftSharePointCVE-2020-0620NOT in CISA KEV
MicrosoftSharePointCVE-2020-0621NOT in CISA KEV
MicrosoftSharePointCVE-2020-0622NOT in CISA KEV
MicrosoftSharePointCVE-2020-0623NOT in CISA KEV
MicrosoftSharePointCVE-2020-0624NOT in CISA KEV
OracleWebLogic ServerCVE-2019-2618NOT in CISA KEV
OracleWebLogic ServerCVE-2019-2890NOT in CISA KEV
OracleWebLogic ServerCVE-2019-2891NOT in CISA KEV
OracleWebLogic ServerCVE-2020-25550.957860
OracleWebLogic ServerCVE-2020-14645NOT in CISA KEV
Red HatJBoss Enterprise Application PlatformCVE-2017-121490.974250
Red HatJBoss Enterprise Application PlatformCVE-2017-12150NOT in CISA KEV
Francesco is an internationally renowned public speaker, with multiple interviews in high-profile publications (eg. Forbes), and an author of numerous books and articles, who utilises his platform to evangelize the importance of Cloud security and cutting-edge technologies on a global scale.

Discuss this blog with our community on Slack

Join our AppSec Phoenix community on Slack to discuss this blog and other news with our professional security team

From our Blog

Explore ASPM’s role in modern application security, offering a panoramic view that extends beyond code vulnerabilities. This guide demystifies concepts like traceability, reachability analysis, and asset lineage, pivotal for securing digital assets. Learn how ASPM empowers organizations with actionable insights for precise vulnerability management. #Cybersecurity #ASPM #ApplicationSecurity
Francesco Cipollone
Explore the transformative role of ASPM in cybersecurity. Uncover how Application Security Posture Management aligns business and security objectives for effective vulnerability management and risk reduction. Discover Phoenix Security’s innovative approach to tackling the staggering challenge of CVEs with a strategic focus on prioritization. #ASPM #Cybersecurity #VulnerabilityManagement
Francesco Cipollone
Explore the critical insights into the latest container security vulnerabilities named leaky vessels, including CVE-2024-21626, CVE-2024-23651, CVE-2024-23653, and CVE-2024-23652, BuildKit flaws, with our comprehensive guide on mitigation strategies, best practices for application security, and tips for robust vulnerability management in Docker and Kubernetes environments. Stay ahead in securing your container deployments against potential threats with ASPM help
Francesco Cipollone

Jeevan Singh

Founder of Manicode Security

Jeevan Singh is the Director of Security Engineering at Rippling, with a background spanning various Engineering and Security leadership roles over the course of his career. He’s dedicated to the integration of security practices into software development, working to create a security-aware culture within organizations and imparting security best practices to the team.
In his role, Jeevan handles a range of tasks, from architecting security solutions to collaborating with Engineering Leadership to address security vulnerabilities at scale and embed security into the fabric of the organization.

James Berthoty

Founder of Latio Tech

James Berthoty has over ten years of experience across product and security domains. He founded Latio Tech to help companies find the right security tools for their needs without vendor bias.

Christophe Parisel

Senior Cloud Security Architect

Senior Cloud Security Architect

Chris Romeo

Co-Founder
Security Journey

Chris Romeo is a leading voice and thinker in application security, threat modeling, and security champions and the CEO of Devici and General Partner at Kerr Ventures. Chris hosts the award-winning “Application Security Podcast,” “The Security Table,” and “The Threat Modeling Podcast” and is a highly rated industry speaker and trainer, featured at the RSA Conference, the AppSec Village @ DefCon, OWASP Global AppSec, ISC2 Security Congress, InfoSec World and All Day DevOps. Chris founded Security Journey, a security education company, leading to an exit in 2022. Chris was the Chief Security Advocate at Cisco, spreading security knowledge through education and champion programs. Chris has twenty-six years of security experience, holding positions across the gamut, including application security, security engineering, incident response, and various Executive roles. Chris holds the CISSP and CSSLP certifications.

Jim Manico

Founder of Manicode Security

Jim Manico is the founder of Manicode Security, where he trains software developers on secure coding and security engineering. Jim is also the founder of Brakeman Security, Inc. and an investor/advisor for Signal Sciences. He is the author of Iron-Clad Java: Building Secure Web Applications (McGraw-Hill), a frequent speaker on secure software practices, and a member of the JavaOne Rockstar speaker community. Jim is also a volunteer for and former board member of the OWASP foundation.

Join our Mailing list!

Get all the latest news, exclusive deals, and feature updates.