How to Efficiently Prioritize Software Vulnerabilities

Data breaches cost about $4,000,000, on average. It’s clear why dedicated teams focus on resolving application vulnerabilities and ensuring their software is secure. This article explains vulnerability management and compares the popular methods for handling vulnerability sprawl.

What is a Software Vulnerability?

All categories of computer security issues, software and hardware, are Common Weakness Enumerations (CWE). Application Security professionals care about a subset of CWEs: Common Vulnerabilities & Exposures (CVE).

CVEs are publicly disclosed software exploits in open source software (OSS) or commercially available software. MITRE maintains the worldwide list of CVEs.

There are, of course, undiscovered vulnerabilities in software, too. The Open Worldwide Application Security Project (OWASP) is a non-profit that categorizes and ranks these vulnerability categories by their prevalence and impact on modern software attacks. OWASP deserves a longer explanation, so I’ll save the deep dive for another article.

How New CVEs Are Discovered and Reported

Security researchers and ethical hackers hunt for software weaknesses. The reporting process varies based on who discovers the vulnerability and how dangerous it is.

When companies find vulnerabilities in their own software, they typically patch without publishing the details. Extremely dangerous vulnerabilities may be assigned a CVE number and announced publicly to encourage patching.

Once a security researcher finds a vulnerability, they report it privately to the software vendor. Vendors have 90 days to patch their software. After the patch is available or the 90 days pass, the vulnerability is given a CVE number, and its details are published. Open source software is handled similarly, but the community may create the patch rather than its creators.

There are ~300 organizations that are designated as CVE Numbering Authorities (CNAs). These are vendors and research organizations authorized by the CVE Program to assign CVE IDs to vulnerabilities and publish CVE records.

The CVE reporting process, courtesy of

Method #1: Prioritize with CVSS and EPSS

Vulnerabilities are constantly being discovered, making it impossible for software to be vulnerability-free. To manage the never ending supply of vulnerabilities, organizations often rely on two scoring systems: CVSS and EPSS. 

What is CVSS?

The severity of a CVE is measured by the Common Vulnerability Score System (CVSS) score. CVSS scores show only the danger associated with a vulnerability, not the likelihood of exploitation or the business impact. Since most CVEs in applications will never be exploited, you must contextualize vulnerabilities with additional data.

What is EPSS?

The Exploit Prediction Scoring System (EPSS) is one method for determining the exploitation likelihood. EPSS is a machine-learning model that estimates, as its name suggests, the probability of an exploit occurring. Historical data on past vulnerabilities is the basis of the model, making it an imperfect, though still useful, model. The EPSS also will never understand your software architecture or any mitigating controls you have in place, so take it with a grain of salt.

A visual representation of CVSS and EPSS effort, coverage, and efficiency, courtesy of FIRST.

The Forum of Incident Response and Security Teams (FIRST) maintains the CVSS and EPSS. You should be aware of a few more vulnerability databases, which we’ll cover in the following sections.

Method #2: Prioritize Based on Known Exploited Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) is a U.S. federal agency that manages both cybersecurity and physical security across the United States. They provide software vulnerability resources to the public.

What is CISA-KEV?

CISA records all Known Exploited Vulnerabilities (CISA-KEV). If a CVE is confirmed to have been exploited at least once, it appears in CISA-KEV. While real-world confirmation is helpful, it doesn’t guarantee an attacker can exploit the same vulnerability in your environment. Mitigating controls and software architecture vary dramatically between organizations. A critical issue in one application could be inconsequential in another. 

What is SSVC?

CISA and Carnegie Mellon University created the Stakeholder-Specific Vulnerability Categorization (SSVC) to help practitioners prioritize their CISA-KEV lists. The four status levels — Track, Track*, Attend, and Act – provide an urgency level. The assigned status is based on five attributes:

  • Exploitation status
  • Technical impact
  • Automatable
  • Mission prevalence
  • Public well-being impact

CISA offers an SSVC calculator where stakeholders can input information about a specific vulnerability and other factors to get an overall recommendation on how their organization should prioritize it.

National Vulnerability Databases to Know

We’ll cover the other vulnerability databases you may run into for completeness.

What is the NVD?

The National Institute of Standards and Technology (NIST) is a U.S. federal agency maintaining the National Vulnerability Database (NVD). The NVD includes a comprehensive list of CVEs, CVSS scores, and the Common Platform Enumeration (CPE) data. Note that CPE is just a structured naming convention.

Other Countries with Vulnerability Databases

Russia and China each maintain their national software vulnerability databases. The Russian and Chinese NVDs are not typically used by practitioners in the Americas and EMEA.

Russia’s vulnerability database is known as BDU, Банк данных угроз безопасности информации, or “Data Security Threats Database.” It’s known to be less comprehensive than either the U.S. or Chinese national databases and is typically used by Russian citizens.

China’s vulnerability database is the CNNVD. It has a reputation for disclosing more vulnerabilities than the U.S. NVD. The average disclosure timeline is also quicker than the U.S. NVD. While the U.S. NVD is designed to help practitioners, there are concerns that the CNNVD is more of a government intelligence tool. Its users are primarily East Asian residents.

Method #3: Prioritize Based on Business Risk with ASPM

Application security teams must understand their software’s architecture to prioritize vulnerabilities properly. Historically, performing this at enterprise scale has been impossible.

Bionic’s Application Security Posture Management (ASPM) platform automatically scans and analyzes software architecture across deployed applications. The result is an accurate map and inventory of all application services, dependencies, and data flows that you can use to continuously visualize attack vectors, lateral movement, and exploitability, then prioritize remediation based on potential impact and business risk.

Bionic application map

Schedule a call with us to learn more about Bionic’s approach to finding, measuring, scoring, and reducing business risk at enterprise scale.

Did you find this blog helpful or interesting?

Click the social media button of your choice to share the blog with you friends and colleagues.

See a Live Demo of the Bionic Platform