Share this page!

RAPIDFORT Profile picture
Twitter logo
Dec 8 8 tweets 3 min read
Who determines how severe a vulnerability is?

Severity is how much damage a hacker can inflict exploiting a product using that vulnerability. It doesn’t mean this is the most critical risk facing your system, but many developers mistakenly think it is.
1/ Severity & other information related to a known issue are catalogued in a Common Vulnerabilities & Exposures (CVE) database.

Several orgs track CVEs, including the National Institute of Standards & Technology @NIST #severity #vulnerabilities
2/ The rubric for scoring severity is the Common Vulnerability Scoring System (CVSS), an open framework for communicating the characteristics & severity of software vulnerabilities.

Several factors are classified into three categories: base, temporal & environmental.
3/ Though vulnerabilities can be classified as low, medium, high, or critical, they all provide the potential for a bad actor to enter & operate in your environment.
4/ Hacking is not a linear process. A malicious attack could begin with a low-severity exploit that provides the opportunity to move laterally and find a more dangerous exploit.
5/ Severity is not an arbitrary rating of a vulnerability, but when an organization is facing a software component analysis (SCA) scanner report containing 7,000 vulnerabilities, they almost always think:

“Let’s just take care of the critical- and high-severity problems.”
6/ Which vulnerabilities present a higher risk? An available Proof of Concept (POC) makes a vulnerability much more dangerous. With Rapid Risk Score, identify which vulnerabilities have POCs & are riskier.

#RRS #RapidFort
7/ Our SCA scanner not only identifies vulnerabilities, it also provides a full SBOM & predicts both Proof of Concept availability & the % you could reduce your attack surface by if you hardened your containers.

Get a head start on your planning for free: loom.ly/PVL-YwE

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with RAPIDFORT

RAPIDFORT Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @RapidFortInc

RAPIDFORT Profile picture
Dec 7
Knowing where vulnerabilities exist is only helpful when you can actually treat them. Unfortunately, a vast majority can only be corrected within an organization’s custom code.
Some organizations write custom patches, but contend with open source software package updates that break those custom patches, so there are significant forward compatibility challenges.

There’s no point in playing security whack-a-mole.

#OSS #cybersecurity
What dev, security & infrastructure teams need to know to improve test cycles:

👉 What software components are running in a workload
👉 What components actually gets used
👉 What components can be eliminated
👉 What vulnerabilities exist after unused components are eliminated
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Send Email!

:(