Navigating the Evolving Landscape of Vulnerability Management

As the volume and complexity of software vulnerabilities continue to grow exponentially, developers, engineers, and architects face increasing challenges in keeping their applications and systems secure. I sat down with Patrick Garrity, Security Researcher, and Anthony Bettini, CEO at VulnCheck during CVE/FIRST VulnCon 2024, to discuss the current state of vulnerability management and how their company is innovating to help technology professionals stay ahead of the curve.

The Challenge of Increasing Vulnerabilities

One of the key trends that VulnCheck is seeing is an exponential increase in disclosed software vulnerabilities that shows no signs of slowing down. Garrity explained that a major factor behind this growth is the spread of responsible disclosure practices — more organizations are proactively disclosing vulnerabilities that they previously would not have reported. 

While this is a positive trend for security overall, it presents significant scalability challenges for the manual processes used by many organizations to track and triage vulnerabilities today. Even the U.S. National Vulnerability Database (NVD) run by NIST is struggling to keep up with the growing backlog due to budget constraints. 

Automating Vulnerability Intelligence

To address this challenge, VulnCheck is focused on collecting, processing, and sharing vulnerability data in an automated and scalable way. "There is tons of information out there, like an ungodly amount of information," explained Garrity. "Probably the biggest thing is how you collect the process of that information in a way that can be consumed."

VulnCheck ingests data from various sources beyond the NVD and makes it freely available to the community through open APIs, detailed blog posts, and other resources. The goal is to give organizations a "head start" on vulnerability awareness so they can begin remediation 20–30 days before intelligence enters the NVD and other official sources.

"If nothing else, and we're trying to make that freely available to the community," said Bettini. "Because effectively, no one steps into the problem that backlog will continue to grow and the impact of that backlog affects national security."

Putting EPSS Scores in Context

Garrity also shared insights from his involvement in FIRST's Exploit Prediction Scoring System (EPSS) Special Interest Group. EPSS aims to predict the probability that a vulnerability will be exploited in the wild within the next 30 days. However, Garrity cautioned that many organizations misunderstand and misuse EPSS data.

"There's a lot of misunderstanding around probability," he explained. "People often are like, 'Oh, well, I'm going to use it just like I use CVSS. If it's a 0.7 or higher, I will fix it.' When discussing probability, a vulnerability with a 70% chance of being exploited in the next 30 days, like maybe you want to set those thresholds a lot lower."

He advises using EPSS as one of many factors to identify vulnerabilities that warrant further investigation but not as an automatic priority score. When EPSS shows an elevated probability, security teams should look for other evidence, such as active exploitation in the wild or available proofs-of-concept, to make a risk-based prioritization decision.

Bridging the Gap Between Security and Developers

Another common challenge that VulnCheck sees its customers facing is how vulnerability management (VM) teams can effectively communicate security issues to developers. Bettini highlighted how developers often struggle to translate vulnerability scores into meaningful priorities.

"The vulnerability management teams say, 'Oh, we understand our scoring system. We understand what 1-2-3-4-5-6-7-8-9-10 means,' but then they go to a software developer and say, 'I want you to fix this vulnerability because my system says it's a 9.' And that 9 means absolutely nothing to the developer," said Bettini.

Garrity advises VM teams to spend more time collaborating with and understanding the processes of their developer, operations, and product security counterparts to drive better remediation outcomes. Context is key. "To really get someone to take action, you need to have evidence," he said. "You need to say, 'Hey, this vulnerability, we know is being exploited by these threat actors' or 'This vulnerability has some proof of recently developed concepts'... That actually is something meaningful that now I can internalize and then take action."

Realizing the Potential of AI and Machine Learning

While artificial intelligence (AI) and machine learning (ML) are increasingly being hyped as game-changers for vulnerability management, Garrity and Bettini expressed a mix of optimism and healthy skepticism about their near-term potential. 

They see great value in using AI/ML models trained on carefully curated vulnerability datasets to reduce manual effort and augment human decision-making. VulnCheck provides clean, labeled data that its customers can use to train models to support contextual prioritization based on their environment and risk tolerances. 

However, the VulnCheck leaders cautioned against an over-reliance on AI/ML and "bolted-on" solutions. "I think that people generally misinterpret its value," said Garrity. "Because they don't know how to build the right solution, they are going to use AI than to try and come up with a solution... within like five minutes, I can find you hundreds of corner cases where the inferences they're providing is wrong, inaccurate."

Looking Ahead

As the pace and complexity of software vulnerabilities continue to increase, it's clear that automation, data sharing, and cross-team collaboration will be essential to helping development and security teams keep up.

Forward-thinking leaders like those at VulnCheck demonstrate how a community-oriented approach combining automated data collection, actionable intelligence, and intuitive workflows can streamline vulnerability management and help teams focus their limited resources more effectively. By helping to bridge the gaps between vulnerability disclosures, security operations, and the development lifecycle, innovative tooling can play a key role in securing the applications that power our digital world.