Mastering Vulnerability Management: Insights from Industry Leaders at VulnCon 2024
Bitsight and Cisco experts share insights on using CVSS, EPSS, and FIRST to improve vulnerability management and advance cybersecurity careers.
Join the DZone community and get the full member experience.
Join For FreeAs software vulnerabilities continue to be a primary vector for cyberattacks, it's more critical than ever for developers, engineers, and architects to prioritize security and vulnerability management throughout the development lifecycle.
To gain insights into current best practices and industry trends, I sat down with two leading experts during CVE/FIRST VulnCon 2024: Ben Edwards, Principal Research Scientist at Bitsight, and Nick Leali, FIRST Member and Incident Manager at Cisco.
Our conversations explored the benefits of leveraging frameworks like CVSS and EPSS, the importance of collaboration through organizations like FIRST, and practical tips for technology professionals looking to evolve their careers by specializing in security.
Assessing Organizational Risk With Security Ratings
Bitsight is known for pioneering the security ratings market, which enables organizations to quantify and benchmark their cyber risk posture. As Edwards explained, much of Bitsight's analysis is based on "non-intrusive, external scanning to find vulnerabilities that are exposed on the internet - similar to what attackers are looking for when targeting organizations."
By identifying vulnerabilities across an organization's external attack surface and tracking how quickly they are remediated, Bitsight can provide actionable security performance metrics. "We have ratings that work both on patching cadence and general vulnerability exposure," said Edwards. "Those get combined into higher-level scores, so we assess inherent risk and the organization's demonstrated response."
This outside-in, evidence-based assessment can be a powerful tool for motivating internal improvement and facilitating risk-based conversations with executives and third-party partners. Developers can support these efforts by ensuring their applications and infrastructure are securely configured and watching their team's patching metrics.
Prioritizing Vulnerabilities With CVSS, EPSS, and VPR
Of course, not all flaws are created equal when it comes to fixing vulnerabilities. Edwards, who has been directly involved in the development of both CVSS and EPSS, provided an overview of how these and other frameworks can help organizations more effectively prioritize remediation efforts:
- CVSS (Common Vulnerability Scoring System): This system focuses on innate vulnerability severity. "You don't have to have a ton of information to use CVSS—just look at things like whether this network is accessible, what the impacts are for confidentiality, integrity, availability, and how much user interaction is required," explained Edwards. "It's beneficial for that initial quick sorting for what needs immediate response."
- EPSS (Exploit Prediction Scoring System): This system aims to predict the likelihood a vulnerability will be exploited in the wild. "EPSS is super important as you're planning strategically across an entire organization. Should I fix this vulnerability before that one because we have good data showing attackers are already targeting it or likely to target it?" said Edwards.
- VPR (Vulnerability Priority Rating): This is a closed, proprietary model from Tenable that factors in severity and threat intelligence. While Edwards noted VPR can be harder to assess given its black-box nature, he acknowledged that, like EPSS, it provides valuable additional context beyond CVSS alone.
"These are all just different lenses or views into vulnerabilities," explained Edwards. "Even as single metrics or as pieces of bigger calculations, they work together. No one number gives you the full picture, but they each provide different pieces of information to help you make better decisions."
Leali at Cisco echoed the importance of CVSS as a "foundational, open standard for assessing innate vulnerability severity" and shared details on the recent release of CVSS v4.0, which includes new metrics for scope and user interaction that enable more granular scoring.
For development teams, staying on top of these evolving vulnerability management frameworks and integrating them into defect prioritization processes is vital to efficiently reducing risk. Leali advises teams to "use CVSS as a starting point, but then layer on top another context like asset value, exploit availability, and threat intelligence to make decisions tailored to your specific environment and risk model."
The Incident Response Perspective
In addition to his CVSS work, Leali serves as an incident manager at Cisco, where he has a front-row seat to how vulnerabilities are exploited in the real world. He noted that in recent years, his team has "seen more and more web application security issues - things like cross-site scripting, request forgery, content injection, etc. - as compared to lower-level network protocol attacks."
This tracks the overall industry trend of attackers increasingly targeting the application layer and underscores the importance of developers building security from the start. Leali advises development teams to "really understand the OWASP Top Ten and how these vulnerabilities manifest in your application architecture and business context."
When incidents do happen, Leali stresses the importance of preparation and collaboration. "You need to proactively identify the right points of contact, and understand who to talk to when something happens. Have those conversations beforehand, and do tabletop exercises to practice your response."
A crucial part of that stakeholder coordination, Leali noted, is "being able to communicate clearly with both technical and non-technical audiences about what's happening and what needs to be done. Incident response is about people. You need strong relationships and a shared understanding going into a crisis."
While security incidents are inherently high-stress, Leali has seen first-hand how a collaborative, well-practiced response can make a huge difference in minimizing business impact. Developers and architects can enable this by participating in joint planning with their security counterparts and being responsive when issues arise.
The Power of Community Collaboration
Both Edwards and Leali emphasized the critical role that industry collaboration plays in staying ahead of evolving cyber threats. Edwards highlighted the example of FIRST's EPSS SIG that "systematically pools exploit data from the community to enable better risk prediction for everyone. No single organization has a complete view, but by working together, we can build more powerful tools."
Leali described how FIRST helps facilitate global cooperation and capacity building among incident responders. "FIRST is all about building trust, sharing best practices, and ensuring you have the right contacts before an incident occurs. It's about strengthening the whole global cybersecurity ecosystem."
For developers looking to learn and contribute, experts recommended proactively engaging with the security community via local chapters of groups like OWASP, professional conferences, and open-source projects. Edwards noted, "While it can seem daunting to keep up with the flood of new vulnerabilities, getting involved in the community is the best way to stay current and even get ahead of emerging issues. There's always something new to learn from your peers."
Evolving Your Career in Security
When asked how developers and other technology professionals can best position themselves for a career in cybersecurity, Edwards counseled that "cybersecurity as a field has gotten so broad that you really need to find your niche. Think about what fascinates you, whether it's the technical exploitation work, the human factors, or the policy side, and then go deep into that area."
He noted that strong development and engineering foundations will pay dividends in any security domain. He shared some practical advice: "If AppSec interests you, learn everything you can about the SDLC and how to build security from the start. Partner with your security team to help make vulnerability management more efficient and learn about their processes hands-on. Find an area where you can combine your existing skills with your curiosity to have an outsized impact."
Leali emphasized that "while technical chops are certainly important, at the end of the day, security is a human-centric challenge. You need to work effectively with people at all levels of the organization, translate complex issues, and influence without direct authority. Seek opportunities to collaborate across functions, and don't underestimate the importance of strong communication and stakeholder management skills."
Both leaders expressed optimism about the growing opportunities at the intersection of development and security. As Edwards put it, "The surface area that we need to defend keeps expanding, which can seem daunting, but it also means that there's more need than ever for talented individuals who can build and scale security into everything we do. It's a gap that I think the developer community is uniquely positioned to help fill."
Conclusion
As Ben Edwards and Nick Leali's insights make clear, vulnerability management is a complex and evolving discipline that requires ongoing collaboration between development, security, and business functions. By leveraging frameworks like CVSS and EPSS, preparing for incidents through practice and stakeholder coordination, and proactively engaging with the broader cybersecurity community, developers can play a key role in reducing risk while opening up exciting new career opportunities.
While the threat landscape continues evolving, one theme clearly came through in both interviews: the power of communication, collaboration, and continuous learning. As Leali noted, "At the end of the day, security is a team sport. No one function or organization can solve it alone. We can build a more resilient future by working together and sharing our knowledge."
Opinions expressed by DZone contributors are their own.
Comments