June 16, 2023: A Week in Vulnerability Management with Patrick Garrity
This was another exciting week in vulnerability management... here's an overview of what you missed hosted by Patrick Garrity, Cybersecurity Researcher and Leader at Nucleus Security.
▬▬▬▬▬ A Week in Vulnerability Management ▬▬▬▬▬
0:00 - Intro
0:18 - Sunday: Mapping NIST, CVSS, and CISA KEV
1:53 - Monday: CVSS Distribution Over Time
2:23 - Tuesday: CVSS Scoring and CISA BOD 23-02
4:40 - Wednesday: CISA's SBOM-A-Rama
6:27 - Thursday: Coalition, Inc's CVE Scoring System
9:35 - Software Transparency by Chris Hughes and Tony Turner
10:49 - Wrap Up
Sunday: I mapped the National Institute of Standards and Technology (NIST)'s National Vulnerability Database, CVSS, and Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerabilities catalog. This reconfirms relying solely on CVSS base score for prioritization will result in missing confirmed and exploited vulnerabilities.
Monday: I created a racing bar chart to compare CVSS distribution over time which highlights the impact CVSS V3 had in increasing scores in the range of 8-8.9 to observe historical trends as I dive further into CVSS v4.
Tuesday: Cybersecurity and Infrastructure Security Agency
issued Binding Operational Directive 23-02, emphasizing the need to secure internet-exposed management interfaces. I'm excited to see more directives as cybersecurity gains national priority. I also spent time mapping CVSS base score metrics from CVSS v3 to FIRST CVSS v4 calculator, predicting future vulnerability scoring trends. I've been rescoring vulnerabilities this week to predict what impact the new scoring will have when CVSS V4 is in use.
Wednesday: CISA's SBOM-a-rama event highlighted the importance of software transparency and securing the software supply chain. It was an excellent opportunity to learn from federal government and industry experts' including Allan Friedman, PhD, Art Manion, Chris Blask among many more.
Thursday: Cybersecurity insurance company Coalition, Inc. launched its own scoring system for CVEs, leveraging GreyNoise Intelligence and integrating with EPSS and CVSS. Tiago Henriques answered several questions I had about the reason behind launching their own scoring system.
Join the conversation and share your thoughts on these important topics in vulnerability management. Let's work together to strengthen our cybersecurity defenses!
#cybersecurity #infosecurity #riskmanagement #vulnerabilitymanagement #securityoperations #security #cisa #InfoSec #CVSS #CISA #ThreatIntel #SoftwareSupplyChain
![Charlatan [OFFICIAL VIDEO]🔱Lords of the Trident](https://images.mixrolikus.cc/video/kfG0J6sMf60)
