2024-08-07 –, Firenze
Common Vulnerability Scoring System (CVSS) is the global go-to standard for attributing criticality scores to vulnerabilities. In this talk, I will explore the latest iteration of CVSS (version 4) and its adoption in the Universe of Application Security. I will talk about its role in vulnerability risk management and how it's critical for prioritizing risks. I will highlight some ever-enduring challenges, how to optimize the scoring effectiveness to overcome some of those challenges and play with ideas for an effective solution within the broader context of cybersecurity. I aim to engage with a diverse audience, offering insights into the evolving landscape of Vulnerability Assessment and inspiring discussion on the future developments of the vector for proper Risk Management, with the idea of leaving some open questions for the future.
This talk came in the sequence of the CVSSv4 research I did for Checkmarx. It’s not fully developed yet, but that is for the best because it will leave me more open to the mentor’s guidance. Nonetheless, I approved the idea with my group leader, Erez Yalon, who reviewed everything. Then, I presented it unofficially as a half-finished idea to a group of colleagues to receive valuable feedback and create a better outline.
The Common Vulnerability Scoring System (CVSS) is the number-one standard for attributing criticality scores to vulnerabilities to help organizations properly assess and prioritize their Vulnerability Management processes.
Today, it plays a fundamental role in organizations and project maintainers worldwide, even more so with the general adoption of CVE. And with NVD as the go-to source for keeping track of new vulnerabilities. These bear a fundamental position in the Information Security community by keeping all information publicly available and easily accessible.
We will explore key aspects of the new CVSS version, the challenges it intends to solve, and some persisting limitations, being one major challenge, how to optimize its pivotal role in Vulnerability Management.
Looking forward, I will discuss the future landscape and potential collaboration and open some questions for the journey ahead.
CVSSv4 is an appealing presentation for the following reasons:
• CVSS is the number one standard.
• CVSS can still provide a consistent and reliable way to prioritize risks.
• CVSSv4 is the latest version, so it brings a note of innovation.
• It’s always interesting to learn about new stuff (but especially for those who work closely with it).
• The vector has limitations and much room for improvement.
• I intend to make the presentation "thought-provoking".
By the end of the presentation, I intend everyone to:
• Be familiar with the CVSS and its importance and appliance in AppSec and Vulnerability Management.
• Understand what's new with the latest version, how to get the most out of it, and how it's still limited.
• Learn how CVSS usage can reflect in the Risk Evaluation and Vulnerability Prioritization, and its importance to the AppSec community.
• Ask questions.
• Go home with plenty of ideas for better using CVSS, full of healthy questions, an urge to dig further into it, and happy with the talk.
I work in AppSec at Checkmarx. I hear 'vulnerability' daily, and I'm never sick of it. I dub myself a 'self-certified idiot' because I love learning and hatching ideas. So much I've made brainstorming a hobby and kickstarted a team initiative to keep us on the pulse of InfoSec. That results in learning about critical vulnerabilities before they become widely exploited, and we knew about CVSSv4 before it was cool.
Well, the version 4 isn't cool yet, but in the meantime, I've researched and come up with this talk. Why? It's cool, CVSS is still widely adopted and has many limitations. If you give me a chance, I would like to bring it forward as 'food for thought'.
I wasn't given the chance to win a 'Best Speaker' award yet. However, I published a few blog posts for Checkmarx and am brewing many other initiatives. I'm also currently studying to pass the CEH certification. Contributing to the AppSec Village at RSAC in San Francisco last year. Check.
Beyond the keyboard, you catch me reading, writing, or practicing martial arts. As in cybersecurity, I seek constant learning.
Full bio: https://bit.ly/3SShO1C