Leveraging CISA Known Exploited Vulnerabilities: Why Attack Surface Vulnerability Validation Is Your Strongest Defense
IBM News, Friday, December 8,2023
With over 20,000 Common Vulnerabilities and Exposures (CVEs) being published each year1, the challenge of finding and fixing software with known vulnerabilities continues to stretch vulnerability management teams thin.
These teams are given the impossible task of driving down risk by patching software across their organization, with the hope that their efforts will help to prevent a cybersecurity breach. Because it is impossible to patch all systems, most teams focus on remediating vulnerabilities that score highly in the Common Vulnerability Scoring System (CVSS)-a standardized and repeatable scoring system that ranks reported vulnerabilities from most to least critical.
However, how do these organizations know that focusing on software with the highest scoring CVEs is the right approach? While it's nice to be able to report to executives about the number or percentage of critical severity CVEs that have been patched, does that metric actually tell us anything about the improved resiliency of their organization?