The number of published vulnerabilities continues to increase year by year. We provide the fixed telecommunication services to our 13 million+ customers as the largest telecom carrier in Japan. It has been always challenging to deal with huge number of vulnerabilities on the large-scale IT infrastructure.

We created our practical criteria for Stakeholder-Specific Vulnerability Categorization (SSVC) instead of CVSS in order to prioritize and efficiently respond to each vulnerability. Additionally, to evaluate our method, we applied our SSVC method to over 50,000 relevant vulnerabilities published over the past few years based on the software components information from our actual hundreds of services.

In the evaluation result, the total number of “Immediate” vulnerabilities is 8% which is much more realistic than responding to all. The results also show that the method effectively prioritize the vulnerabilities considering attack possibility, open/closed network, business impact, etc.

In this presentation, we will describe what issues we faced, the problem of CVSS and how we decided to adopt SSVC. We will share about our SSVC method, its benefits, evaluation results, and how to use the method. We hope this presentation will help you with your practical vulnerability management.