Acceleration Economy
  • Home
  • Cloud Wars
  • Analyst Content
    • By Category
      • AI/Hyperautomation
      • Cloud/Cloud Wars
      • Cybersecurity
      • Data
    • By Interest
      • Leadership
      • Office of the CFO
      • Partners Ecosystem
      • Sustainability
    • By Industry
      • Financial Services
      • Healthcare
      • Manufacturing
      • Retail
    • By Type
      • Guidebooks
      • Digital Summits
      • Practitioner Roundtables
      • Practitioner Playlists
    • By Language
      • Español
  • Vendor Shortlists
    • All Vendors
    • AI/Hyperautomation
    • Cloud
    • Cybersecurity
    • Data
  • What we do
    • Advisory Services
    • Marketing Services
    • Event Services
  • Who we are
    • About Us
    • Practitioner Analysts
  • Subscribe
Twitter Instagram
  • CIO Summit
  • Summit NA
  • Dynamics Communities
Twitter LinkedIn
Acceleration Economy
  • Home
  • Cloud Wars
  • Analyst Content
        • By Category
          • AI/Hyperautomation
          • Cloud/Cloud Wars
          • CybersecurityThe practice of defending computers, servers, mobile devices, electronic systems, networks, and data from malicious attacks.
          • Data
        • By Interest
          • Leadership
          • Office of the CFO
          • Partners Ecosystem
          • Sustainability
        • By Industry
          • Financial Services
          • Healthcare
          • Manufacturing
          • Retail
        • By Type
          • Guidebooks
          • Digital Summits
          • Practitioner Roundtables
          • Practitioner Playlists
        • By Language
          • Español
  • Vendor Shortlists
    • All Vendors
    • AI/Hyperautomation
    • Cloud
    • Cybersecurity
    • Data
  • What we do
    • Advisory Services
    • Marketing Services
    • Event Services
  • Who we are
    • About Us
    • Practitioner Analysts
  • Subscribe
    • Login / Register
Acceleration Economy
    • Login / Register
Home » How Contextual Analysis Zeroes in on the Most Exploitable AppSec Vulnerabilities
Cybersecurity as a Business Enabler

How Contextual Analysis Zeroes in on the Most Exploitable AppSec Vulnerabilities

Chris HughesBy Chris HughesFebruary 3, 2023Updated:February 5, 20234 Mins Read
Facebook Twitter LinkedIn Email
appsec vulnerability management
Share
Facebook Twitter LinkedIn Email
Acceleration Economy Cybersecurity

Anyone who works in application security (AppSec) knows the pain of vulnerability management. You work with the development team, as well as product and system owners, to get vulnerabilities mitigated or remediated, and then new scans run, and new vulnerabilities are found.

This infinite loop of toil and tension drains the development team’s time and focus and fosters resentment. People come to see security as always introducing problems and slowing down delivery of new features to production — and delivery velocity is a critical development team metric.

This is why contextual analysis is critical to AppSec. Contextual analysis can provides can provide critical information to help teams prioritize vulnerabilities and make the best use of their limited resources. That information includes:

  • whether the dependency/code is reachable and in the attack path
  • whether an exploit is available, and if so, at what level of maturity
  • whether an exploit is used in the wild successfully, and more.

Which companies are the most important vendors in cybersecurity? Click here to see the Acceleration Economy Top 10 Cybersecurity Shortlist, as selected by our expert team of practitioner-analysts.

Bring Signal to the Noise

Development teams have little time and attention to spare and, traditionally, in security, we demand both, and often for vulnerabilities with no actual context or details. This is incredibly problematic when we also realize that most vulnerabilities, often classified as Common Vulnerabilities and Enumerations (CVEs) and captured in vulnerability databases such as the National Institute of Standards and Technology National Vulnerability Database (NIST NVD), aren’t actually exploitable.

This means the vulnerabilities often don’t pose any real risk to the business, but without contextual analysis, it’s hard to tell the difference between what’s exploitable or not. This results in a lot of wasted time and a cognitive drain on the team.

Research the top 10 cybersecurity providers selected by our practitioner analysts

Luckily, the industry is realizing the folly of the legacy approach of using base Common Vulnerability Scoring System (CVSS) scores without accounting for actual exploitability or environmental context because it’s inefficient and ineffective.

We’re starting to see greater use of resources such as Cybersecurity and Infrastructure Security Agency’s (CISAs) Known Exploited Vulnerabilities (KEV) catalog, which provides a list of known exploited vulnerabilities, emerging. This allows federal agencies and any other organization to prioritize those vulnerabilities for remediation.

CISA has also been championing the Stakeholder-Specific Vulnerability Categorization (SSVC) calculator, a collaboration with Carnegie Mellon University (CMU), as another resource organizations can use to prioritize vulnerability remediation.

We’re also seeing the emergence of the Exploit Prediction Scoring System (EPSS). Run by the same organization that runs the CVSS, the EPSS helps provide probability scores associated with CVEs. The EPSS shows the probability that a CVE will actually be exploited, going beyond just a blanket severity rating.

We’re also seeing vendors start to provide capabilities such as reachability analysis, which provides insight into whether or not vulnerable code is actually reachable within the application’s code base. This can help the security and development teams prioritize specific aspects of the code for remediation and allow development teams to perhaps seek out other, less vulnerable and exploitable components to include in their applications.

Final Thoughts

When you combine these capabilities of integrating contextual analysis to vulnerabilities through open source software (OSS) tooling, vendor products, or internally developed capabilities, you position your organization to spend your time and effort on the vulnerabilities that pose the largest risk to the organization — and therefore should be addressed first.

This drives down organizational risk, saves resources, and minimizes the strain on development teams. It also reduces the friction between development and security, with developers understanding that the items they’re being asked to address actually pose a risk and aren’t based on subjective scoring or metrics without context.

Time is limited, and it is best spent on vulnerabilities that pose real risk while not impeding development velocity and business outcomes that are enabled by software.


Want more cybersecurity insights? Subscribe to the Cybersecurity as a Business Enabler channel:

Acceleration Economy Cybersecurity

apps Cybersecurity security software development Vulnerability management
Share. Facebook Twitter LinkedIn Email
Analystuser

Chris Hughes

CISO & Co-Founder
Aquia

Areas of Expertise
  • Cybersecurity
  • LinkedIn

Chris Hughes is an Acceleration Economy Analyst focusing on Cybersecurity. Chris currently serves as the Co-Founder and CISO of Aquia. Chris has nearly 20 years of IT/Cybersecurity experience. This ranges from active duty time with the U.S. Air Force, a Civil Servant with the U.S. Navy and General Services Administration (GSA)/FedRAMP as well as time as a consultant in the private sector. In addition, he also is an Adjunct Professor for M.S. Cybersecurity programs at Capitol Technology University and University of Maryland Global Campus. Chris also participates in industry Working Groups such as the Cloud Security Alliances Incident Response Working Group and serves as the Membership Chair for Cloud Security Alliance D.C. Chris also co-hosts the Resilient Cyber Podcast. Chris holds various industry certifications such as the CISSP/CCSP from ISC2 as holding both the AWS and Azure security certifications. He regularly consults with IT and Cybersecurity leaders from various industries to assist their organizations with their Cloud migration journeys while keeping Security a core component of that transformation.

  Contact Chris Hughes ...

Related Posts

Why Cybersecurity Leaders Need to Know the CISA Zero Trust Maturity Model

March 30, 2023

Let’s Talk Transformation | Strategy

March 30, 2023

How Informatica Unlocks Digital Transformation With AI-Powered Data Management Platform

March 30, 2023

How to Prioritize IT Projects and Explain Their Value to the C-Suite, Board, and Business Units

March 30, 2023
Add A Comment

Comments are closed.

Recent Posts
  • Why Cybersecurity Leaders Need to Know the CISA Zero Trust Maturity Model
  • Let’s Talk Transformation | Strategy
  • How Informatica Unlocks Digital Transformation With AI-Powered Data Management Platform
  • How ChaptGPT Plugins Create New AI Value, Including Real-Time Information
  • How to Prioritize IT Projects and Explain Their Value to the C-Suite, Board, and Business Units

  • 3X a week
  • Analyst Videos, Articles & Playlists
  • Exclusive Digital Business Content
This field is for validation purposes and should be left unchanged.
Most Popular Guidebooks

Securing Multi-Cloud Ecosystems

March 24, 2023

Securing Software-as-a-Service Applications

March 1, 2023

Retail Innovation With AI, Data, and Cybersecurity

March 1, 2023

Cloud Data Strategy, Analytics, and Governance

February 27, 2023

Advertisement
Acceleration Economy
Twitter LinkedIn
  • Home
  • About Us
  • Privacy Policy
  • Get In Touch
  • Advertising Opportunities
© 2023 Acceleration Economy.

Type above and press Enter to search. Press Esc to cancel.

  • Login
Forgot Password?

Connect with

Login with Google Login with Windowslive

Lost your password? Please enter your username or email address. You will receive a link to create a new password via email.