Login
Get Access
Demo

blog

What is risk-based vulnerability management, and why is it essential to prioritize vulnerabilities

risk based vulnerability management how to calculate and why cvss is old

Introduction

In today’s digital age, cybersecurity threats are becoming increasingly sophisticated, and organizations are struggling to keep up with the ever-evolving threats. Vulnerability management is essential to any cybersecurity strategy, as it helps identify and address vulnerabilities that attackers could exploit. Traditional vulnerability management approaches have focused on identifying and patching vulnerabilities in systems and applications. However, this approach can be time-consuming and resource-intensive, as organizations often have many vulnerabilities to address and limited resources for patching them all. Recently, a risk-based vulnerability management approach has gained popularity due to its ability to prioritize vulnerabilities based on their potential impact on the organization’s business objectives.

What is Risk-Based Vulnerability Management

Risk-based vulnerability management is an approach that prioritizes vulnerabilities based on their potential impact on the organization’s business objectives. This means that vulnerabilities that pose the greatest risk to the organization are addressed first. In contrast, lower-risk vulnerabilities may be addressed later or accepted as part of the organization’s risk management strategy. The risk-based approach involves evaluating the potential impact of a vulnerability on the organization, taking into account factors such as the criticality of the system, the data it contains, and the potential impact on business operations.

The risk-based approach to vulnerability management is becoming increasingly popular, and it has several benefits over traditional vulnerability management approaches. Firstly, it enables organizations to use their limited resources more efficiently by prioritizing vulnerabilities that pose the greatest risk. Secondly, it gives organisations a better understanding of their cybersecurity risks and enables them to communicate them more effectively to key stakeholders. Finally, it aligns vulnerability management efforts with the organization’s business objectives, ensuring that cybersecurity risks are addressed to support its overall goals.

Gartner’s View on Risk-Based Vulnerability Management

Gartner is a leading research and advisory company that provides insights into the technology industry. According to Gartner, the risk-based vulnerability management approach is more successful than pure SLA-based or CVSS-based approaches. The CVSS (Common Vulnerability Scoring System) is a widely used framework for assessing the severity of software vulnerabilities. It assigns a score to each vulnerability based on factors such as the access required to exploit the vulnerability, the impact of the vulnerability, and the complexity of the exploit. However, Gartner argues that the CVSS-based approach is limited because it does not consider the context of the vulnerability, such as the business criticality of the system or the data it contains.

Similarly, Gartner argues that SLA (Service Level Agreement)-based approaches, which are based on meeting specific service level targets, are ineffective because they do not adequately measure risk. Gartner recommends a risk-based approach to prioritize and manage vulnerabilities that considers the vulnerability’s context and potential impact on the organization’s business objectives.

How to deploy a mature risk-based vulnerability assessment

prioritize vulnerabilities and risk based approach vulnerability maturity
Vulnerability maturity metrics and vulnerability management rameworks

You can leverage the vulnerability maturity assessment framework to assess your organization’s maturity against industry standard. More details in this blog: https://phoenix.security/vulnerability-management-framework/

What is contextual Risk-Based vulnerability

Contextual vulnerability management is a comprehensive approach to identifying, analyzing, and mitigating software and cloud infrastructure vulnerabilities. We have written extensively on the power of prioritization and contextualization. Gartner has also recently published several articles on the power of risk-based vulnerability management.

Contextual Vulnerability Management: Protecting Software and Cloud Infrastructure

What elements are used to calculate risk

Phoenix Risk Scoring Principles

In risk management, we have three main factors 

  • The probability of exploitation can be derived from
    • Location o an asset (internal/ external) where the vulnerability is manifested
    • Likelihood of exploitation
      • EPSS and the likelihood of exploitation
      • Cyber threat intelligence like VulnDB, CISA KEV, Local Advisories
    • Dangerousness of the exploit
      • Is the exploit a Remote Code Execution (RCE)
      • Is there an exploit available for the vulnerability?
      • Is the exploit-module automated / readily available in exploitdb, github, nuclei, metaexploit
  • The base danger of the exploit is generally communicated by CVSS/ CWSS score.
  • The impact of a vulnerability overall
    • How many users it impacts
    • How much can the organization survive with an application compromised
    • How much data is there to compromise 
    • How private is the data in the application (sensitive, critical etc…) 
vulnerability risk risk based vulnerability management
vulnerability risk-based vulnerability management with phoenix security

Applying Risk-based Vulnerability Assessment – an example

An example of this approach is the following picture out o a few blog posts this one and this other from Chris Hughes got a lot of attention.

Credit Ingmar Vis

Only a small percentage of vulnerabilities are exploitable, and even fewer in the context of a specific application.

An example:

Application XYZ has 9 CVE 10.

Most security tools nowadays would spit out vulnerabilities with threat level 9 or higher. The list of CVE’s in FictoApp is in the comments.

If implemented correctly, even using just one of the parameters shown above (EPSS) a risk-based vulnerability maturity project can significantly help refocus on the vulnerabilities that matter most (full story and link to the blog post here)  

Using EPSS score as an example of exploitability can reduce the vulnerabilities that require attention to 6 or even less.

Bucketing the vulnerabiity exploitation between EPSS-scores: <1%, <10%, <50%, <75%, >75%

risk based analysis and repreioritization
Credit Ingmar Vis

Advantages of using a Risk-based Vulnerability management approach

Risk-based vulnerability management provides several benefits over traditional vulnerability management approaches. 

  1. Improved Focus on High-Priority Vulnerabilities

Organizations can first focus on addressing the most critical vulnerabilities by prioritizing vulnerabilities based on their potential impact on business objectives. This can help organizations reduce their cybersecurity risk more effectively and use limited resources better.

  1. Better Alignment with Business Objectives

A risk-based approach to vulnerability management can help organizations better align their cybersecurity strategies with their overall business objectives. By considering the potential impact of vulnerabilities on business objectives, organizations can more effectively communicate the importance of vulnerability management to key stakeholders and ensure that resources are allocated appropriately.

  1. More Effective Use of Automated Tools

Automated vulnerability scanning tools are a key component of most vulnerability management strategies. However, these tools can generate many false positives, which can be time-consuming and resource-intensive to investigate. A risk-based approach to vulnerability management can help organizations filter out false positives more effectively and focus their efforts on addressing the most critical vulnerabilities.

In conclusion, a risk-based approach aligns vulnerability management efforts with the organization’s business objectives, ensuring that cybersecurity risks are addressed to support its overall goals.

Challenges of Risk-Based Vulnerability Management

Exploited vulnerabilities

Improving Vulnerability remediation with EPSS

While risk-based vulnerability management provides several benefits, it also poses some challenges. Firstly, it requires knowledge of risk and the collection of external parameters. While traditionally, security tools provide a view of potential issues with CVSS or CWSS, a risk-based approach requires a more comprehensive overview of, location, business criticality, probability of exploitation and more contextual factors. 

Conclusions

Riks-based vulnerability management is the key to advancing the vulnerability management program on application and cloud security

SLA and vulnerability severity are antiquated methods that do not provide the tools for a mature vulnerability management program anymore.

How can Phoenix Security Help

Poenix security leverage the power of Cyber threat intelligence, EPSS, Location and business context, to calulate the risk exposure of vulnerabilities and applications in real time.

Phoenix security also allows a risk based approach on SLA, and other traditional parameters. No matter where your organization is in the application and cloud security journey phoenix security is here to help.

If you want to know more about Phoenix security and doing vulnerability management at scale, contact us https://phoenix.security/request-a-demo/

Picture of Francesco Cipollone

Francesco Cipollone

Francesco is an internationally renowned public speaker, with multiple interviews in high-profile publications (eg. Forbes), and an author of numerous books and articles, who utilises his platform to evangelize the importance of Cloud security and cutting-edge technologies on a global scale.
20th March 2023
Francesco is an internationally renowned public speaker, with multiple interviews in high-profile publications (eg. Forbes), and an author of numerous books and articles, who utilises his platform to evangelize the importance of Cloud security and cutting-edge technologies on a global scale.

Discuss this blog with our community on Slack

Join our AppSec Phoenix community on Slack to discuss this blog and other news with our professional security team

Join Slack community
Linkedin-in Youtube Facebook-f Twitter Instagram

From our Blog

palo alto CVE-2024-3400, exploit, aspm, injection
  • 14th April 2024

Critical Exploit CVE-2024-3400 Vulnerability Leveraging UVM, CTEM and ASPM to Remediate in this Palo Alto Exploit

Discover and fix CVE-2024-3094 vulnerability affecting Linux distributions liblzma, part of the xz package, Fedora, openSUSE, Debian, and Kali. Get the latest updates, fixes, and security recommendations to safeguard your system against unauthorized access through compromised XZ Utils. Protect and discover the affected system with ASPM, Application security Posture management
Francesco Cipollone
HTTP/2 vulnerability, Continuation Flood attack, Rapid Reset DDoS, cybersecurity threats, Apache HTTP Server CVE-2024-27316, Envoy CVE-2024-27919, Node.js security patch, AMPHP CVE-2024-2653, Apache Tomcat CVE-2024-24549, Golang CVE-2023-45288, Nghttp2 CVE-2024-28182, Tempesta FW CVE-2024-2758, vulnerability mitigation strategies, protocol security enhancements
  • 7th April 2024

The Rising Threat of HTTP/2 Vulnerabilities: From Rapid Reset to Continuation Flood CVE-2024-27316, CVE-2024-24549

Discover and fix CVE-2024-3094 vulnerability affecting Linux distributions liblzma, part of the xz package, Fedora, openSUSE, Debian, and Kali. Get the latest updates, fixes, and security recommendations to safeguard your system against unauthorized access through compromised XZ Utils. Protect and discover the affected system with ASPM, Application security Posture management
Francesco Cipollone
CVE-2024-3094, Linux Security, xz-utils, libzlma, Vulnerability, Cybersecurity Alert, Malicious Code Injection, Software Backdoor, OpenSSH Security, Tarball Compromise, Application Security Management (ASPM), Software Bill of Materials (SBOM), Vulnerability Management, Linux Distributions, Fedora Security, Debian Security, SUSE Security, Kali Linux Update, Cyber Threat Intelligence, Secure Coding Practices, Software Supply Chain Security, Cybersecurity Best Practices
  • 30th March 2024

Navigating the Waters of Vulnerability CVE-2024-3094 A Comprehensive Guide for Linux and Application Security

Discover and fix CVE-2024-3094 vulnerability affecting Linux distributions liblzma, part of the xz package, Fedora, openSUSE, Debian, and Kali. Get the latest updates, fixes, and security recommendations to safeguard your system against unauthorized access through compromised XZ Utils. Protect and discover the affected system with ASPM, Application security Posture management
Francesco Cipollone
Mitre EPSS CVSS CVE Vulnerability vulnerability management CTEM
  • 4th March 2024

Mitre and EPSS, can we cross the chasm in vulnerability management

Explore the interplay between the MITRE ATT&CK framework and EPSS for effective vulnerability management. Learn how these tools help predict and prioritize cyber threats, with deep dives into the most and least exploited techniques. Stay ahead in cybersecurity with Phoenix’s advanced analysis.
Francesco Cipollone

Derek Fisher

Linkedin

Head of product security at a global fintech

Derek Fisher – Head of product security at a global fintech. Speaker, instructor, and author in application security.

Derek is an award winning author of a children’s book series in cybersecurity as well as the author of “The Application Security Handbook.” He is a university instructor at Temple University where he teaches software development security to undergraduate and graduate students. He is a speaker on topics in the cybersecurity space and has led teams, large and small, at organizations in the healthcare and financial industries. He has built and matured information security teams as well as implemented organizational information security strategies to reduce the organizations risk.

Derek got his start in the hardware engineering space where he learned about designing circuits and building assemblies for commercial and military applications. He later pursued a computer science degree in order to advance a career in software development. This is where Derek was introduced to cybersecurity and soon caught the bug. He found a mentor to help him grow in cybersecurity and then pursued a graduate degree in the subject.

Since then Derek has worked in the product security space as an architect and leader. He has led teams to deliver more secure software in organizations from multiple industries. His focus has been to raise the security awareness of the engineering organization while maintaining a practice of secure code development, delivery, and operations.

In his role, Jeevan handles a range of tasks, from architecting security solutions to collaborating with Engineering Leadership to address security vulnerabilities at scale and embed security into the fabric of the organization.

Jeevan Singh

Linkedin

Founder of Manicode Security

Jeevan Singh is the Director of Security Engineering at Rippling, with a background spanning various Engineering and Security leadership roles over the course of his career. He’s dedicated to the integration of security practices into software development, working to create a security-aware culture within organizations and imparting security best practices to the team.
In his role, Jeevan handles a range of tasks, from architecting security solutions to collaborating with Engineering Leadership to address security vulnerabilities at scale and embed security into the fabric of the organization.

James Berthoty

Linkedin

Founder of Latio Tech

James Berthoty has over ten years of experience across product and security domains. He founded Latio Tech to help companies find the right security tools for their needs without vendor bias.

Christophe Parisel

Linkedin

Senior Cloud Security Architect

Senior Cloud Security Architect

Chris Romeo

Linkedin

Co-Founder
Security Journey

Chris Romeo is a leading voice and thinker in application security, threat modeling, and security champions and the CEO of Devici and General Partner at Kerr Ventures. Chris hosts the award-winning “Application Security Podcast,” “The Security Table,” and “The Threat Modeling Podcast” and is a highly rated industry speaker and trainer, featured at the RSA Conference, the AppSec Village @ DefCon, OWASP Global AppSec, ISC2 Security Congress, InfoSec World and All Day DevOps. Chris founded Security Journey, a security education company, leading to an exit in 2022. Chris was the Chief Security Advocate at Cisco, spreading security knowledge through education and champion programs. Chris has twenty-six years of security experience, holding positions across the gamut, including application security, security engineering, incident response, and various Executive roles. Chris holds the CISSP and CSSLP certifications.

Jim Manico

Linkedin

Founder of Manicode Security

Jim Manico is the founder of Manicode Security, where he trains software developers on secure coding and security engineering. Jim is also the founder of Brakeman Security, Inc. and an investor/advisor for Signal Sciences. He is the author of Iron-Clad Java: Building Secure Web Applications (McGraw-Hill), a frequent speaker on secure software practices, and a member of the JavaOne Rockstar speaker community. Jim is also a volunteer for and former board member of the OWASP foundation.

Join our Mailing list!

Get all the latest news, exclusive deals, and feature updates.