The volume of common vulnerabilities and exposures (CVEs) identified has now reached a level that even the organization tasked with managing them can no longer keep up. The National Vulnerability Database (NVD) announced in February 2024 that it would no longer provide common vulnerability scoring system (CVSS) scores for all CVEs.
This decision was down to resource constraints and an inability to keep up with the volume of newly-disclosed vulnerabilities. The NVD has now shifted its focus to processing vulnerabilities more efficiently by relying on vendor-provided and third-party scores rather than scoring each CVE independently.
The Growing Vulnerability Challenge
In 2024, there were over 40,000 Common Vulnerabilities and Exposures (CVEs) published, which is a 38% increase from 2023. All of this is before organisations begin looking at other non-CVE vulnerabilities (configuration issues, outdated systems, elevated privileges etc) that can be just as important as vulnerabilities that do have a CVE. Even the NVD is saying that a new approach to vulnerability management is required.
The Limits of Traditional Risk-Based Vulnerability Management
A key component of Risk Based Vulnerability Management (RBVM) is prioritization. Prioritizing vulnerabilities based on their calculated risk scores, then focusing on addressing or remediating the highest-risk vulnerabilities first.
However, in the high volume vulnerability landscape we face today, security teams are often faced with multiple vulnerabilities with similar high priority risk scores? What do you tackle first?
Many organizations, including Rapid7, are addressing ..
Support the originator by clicking the read the rest link below.
