Rethinking vulnerability prioritization

In the fast-paced world of software development, engineers are often flooded with alerts about security vulnerabilities, each tagged with a severity rating that screams for attention. Yet, these severity-based ratings can lead to wasted time and effort, as they don't always reflect the true risk or exploitability of an issue. It's a common pain point: understanding what really demands immediate action because we’re all drowning in common vulnerabilities and exposures (CVEs). 

That's why we're shifting the focus towards a more developer-centric approach to vulnerability management—one that cuts through the noise and pinpoints the vulnerabilities that truly matter to your organization. Using a data-driven approach that allows both security teams and engineers to have a more nuanced understanding of what needs attention that takes into account not just the severity, but what's loaded at runtime, the likelihood of exploitation, proof of the exploit, and its usage in active malware campaigns.

The shortcomings of severity-based prioritization

Severity scores such as those provided by the Common Vulnerability Scoring System (CVSS) have been invaluable to security teams, but they have their limitations. A "critical" severity score doesn’t necessarily mean a vulnerability is being actively exploited or even that it’s exploitable in a particular environment. As a result, security teams spend considerable effort on custom processes to augment their scan-based tools with this type of detail from multiple sources only to find by the time they provide a prioritized list to the dev teams, the information is stale. In other cases they simply go just on severity where teams expend significant resources patching critical vulnerabilities that, in reality, pose a lower risk than some "high" severity vulnerabilities.

A more strategic approach: Weighing severity, EPSS, proven exploit paths, and known ransomware

Our new approach to prioritization refines the focus for engineers and security teams alike. We consider vulnerability severity alongside actionable intelligence from Exploit Prediction Scoring System (EPSS) forecasts and active exploit data from resources like the CISA KEV catalog. This strategy ensures that your team channels its efforts on the threats that pose a tangible risk to your applications that depend heavily on open-source packages.

Interactive application security testing (IAST) further sharpens this focus. By revealing actual exploit paths, IAST guides us to the vulnerabilities that aren’t just theoretical but truly exploitable in your custom code. This integration streamlines your team's work, allowing you to tackle the most critical security issues first and fortify your software's defenses effectively.

The weighted system we’ve added considers four key elements to provided an objective measure with input from various external data points such as:

1. CVE severity: The established baseline for the potential impact of a vulnerability.
2. Exploit Prediction Scoring System (EPSS): A predictive model that estimates the likelihood of a vulnerability being exploited in the wild.
3. Known ransomware associations: Information on whether a vulnerability is being used actively as part of a ransomware campaign, as cataloged by agencies like CISA.
4. IAST exploitable vulnerability: A real-time testing method that identifies vulnerabilities with actual exploit paths in running applications, highlighting issues that aren’t just theoretically dangerous but practically exploitable.

The benefits of a weighted prioritization system

Our tailored prioritization system is a powerhouse allowing you not only to use the New Relic platform as a source of data but also third-party security tools that allow your teams to maximize their security impact through:

• Laser-focused resource allocation: Zero in on the vulnerabilities most likely to be exploited, ensuring your security team's efforts pack the biggest punch.
• Proactive defense: By homing in on vulnerabilities already in the crosshairs of known ransomware or in the new version of your application that's about to be deployed, you can shore up defenses before they result in a breach.
• Adaptive security: With the ability to swiftly recalibrate priorities based on the latest intelligence, your security posture remains resilient and responsive, no matter how the digital winds shift.

Conclusion

Our journey helping organizations adopt a DevSecOps culture is driven by our commitment to reducing alert fatigue and easing the burden on developers. We're continuously seeking ways to enhance our prioritization process with additional insights—from package quality to supply chain integrity and beyond. These improvements are aimed at illuminating the most pressing risks, allowing developers to focus their efforts on enhancing the security and robustness of their applications.

Weaving EPSS, data on exploited vulnerabilities, and active malware campaigns into our prioritization process, we empower organizations to shore up their defenses where it counts the most. As we hone our methods and tools, we encourage everyone to embrace this new developer-centric way to tackle vulnerability management.

Keep an eye out for further updates as we deepen our commitment to fortifying security for developers and security organizations across the globe. By joining forces, we're not just strengthening defenses—we're shaping a more secure future for the digital world.