Vulnerability Prioritization: Are You Getting It Right?
Thank you to all who attended our October 8th event. Please enjoy this free playback.
Dima Gorbonos, Senior Sales Engineer at WhiteSource
Is a key technical advisor and solution advocate, responsible for planning and delivering of solution demonstrations to large Enterprises. It’s his role to respond to functional and technical elements of RFIs/RFPs, so he’s an outstanding choice to guide our questions related to our own Vulnerability Prioritization and program requirements.
Dima will be assisted by John Timberlake , A self-appointment “techie” who enjoys the luxury of working with enterprise clients who are embracing DevOps and Cloud Technologies to transform the way they build software and run their business. Leader for the Seattle based North American DevOps Group
John has graciously agreed to provide attendees with some spectacular resources.
Their conversation and demo is supported by the work of David Habusha, WhiteSource Product Executive
Here’s a recent article sample:
Developers must find a way to zero in on the security vulns that present the most risk and quickly address them without slowing down the pace of development.
The past few years have seen an exponential rise in the volume of reported security vulnerabilities. Combined with the increase in headline-grabbing security breaches, it’s no surprise that organizations are upping their application-security game. This includes a heightened focus on the detection and remediation of security vulnerabilities as early as possible in their DevOps pipeline — leaving developers with the added task of handling an increasingly high number of security alerts.
But they can’t remediate everything. This is why they must find a way to zero in on the security vulnerabilities that present the most risk and quickly address them without slowing down the pace of development.
The prioritization of vulnerabilities has become a burning issue for software development outfits that want to stay ahead of security while not falling behind on AppSec release dates. Unfortunately, there is currently no set standard or practice for how to prioritize them. Different teams prioritize security alerts based on a variety of parameters and considerations — not necessarily the most effective ones, either. As a result, they are spending a lot of valuable time figuring out what to tackle first, to varying degrees of success.
To understand which prioritization methods are currently most common, we surveyed 300 of our customers and asked them how they prioritize vulnerability alerts. The top five considerations that arose were vulnerability severity, application type, the popularity of the vulnerable open source component, vulnerability disclosure date, and ease of remediation.
To learn more, we added a new perspective: the hacker community. We took the 100 most common open source vulnerabilities reported in 2019 based on the WhiteSource vulnerabilities database and compared characteristics, such as popularity, disclosure date, and severity score, to the level of discussion in the hacker community based on data from CYR3CON, which predicts cyberattacks based on artificial intelligence gathered from hacker communities.
In doing so, we’re able to gain insights about the effectiveness of common prioritization methods are and how they measure up when it comes to the hacker community’s preferences.
Many organizations consider the Common Vulnerability Scoring System (CVSS) vulnerability score first when prioritizing remediation since it’s so easily accessible and seemingly straightforward. Unfortunately, this parameter does little to shorten the long list of security vulnerabilities that teams need to address since data shows over 55% of the top open-source security vulnerabilities were rated as high or critical.
<Enjoy the full article here>
WhiteSource helps businesses all over the world to develop better software by harnessing the power of open source. Open source components, a significant and important part of commercial software today, are often substantially under-managed. WhiteSource fully automates the entire process of open source components selection, approval, tracking and management, including real-time alerts on vulnerable and problematic open source components, customized reports, enforcing policies automatically and more. An integral part of your software development environment, WhiteSource guarantees the continuity and integrity of open source management and reduces respective risks. WhiteSource provides a complete solution that supports all programming languages. The solution seamlessly plugs into all popular build tools. WhiteSource is a venture-backed company with offices in NY, Boston and Tel-Aviv.