"SSVC: Prioritization of Vulnerability Remediation According to CISA"

As 2021 set a record for the number of vulnerabilities published and threat actors improved their ability to weaponize vulnerabilities, timely and improved prioritization and remediation of vulnerabilities should be a goal for all organizations. The US Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA) publishes lists of the most exploited vulnerabilities regularly and maintains a catalog of Known Exploited Vulnerabilities (KEV) that everyone is welcome to use, but as useful as these resources are, organizations still struggle when deciding which security holes should be fixed first. As a result, the agency has updated and promoted the Stakeholder-Specific Vulnerability Categorization (SSVC) system they use. According to Eric Goldstein, Executive Assistant Director for Cybersecurity at CISA, better vulnerability management is achievable, and it entails using automation, clarifying the impact of vulnerabilities, and prioritizing vulnerabilities. The Common Security Advisory Framework (CSAF) provides a standardized format for ingesting vulnerability advisory information, simplifying asset owners' triage and remediation processes. With the help of the SSVC Calculator and the SSVC system, vulnerabilities could be prioritized based on specific attributes such as state of exploitation, technical impact, the potential for automated exploitation, impact on an organization's mission essential functions, and impact on public well-being. This article continues to discuss the prioritization of vulnerability remediation with the help of the SSVC guide. 

Help Net Security reports "SSVC: Prioritization of Vulnerability Remediation According to CISA"