Hackers of India

vPrioritizer: Learn to say NO to almost every vulnerability (art of risk prioritisation…)

 Pramod Rana 



As suggested by vulndb and cve, on a daily basis, approximately 50 new vulnerabilities become known to industry and even if an organization considers the impact rate of 10%, it’s still very challenging to manage it effectively and it’s safe to assume that count is going to increase furthermore. So with this amount organization is focusing (or should focus) on reducing the risk rather than eliminating it.

In current era, vulnerability management is (almost) equal to risk prioritisation because

So what is risk? How do we calculate it? What are the factors contributing to risk?

  1. CVSS (historically used) - No
  2. Asset Criticality - No
  3. Asset Accessibility - No
  4. Exploit Applicability - No
  5. Exploit Availability - No
  6. Ease of Exploitation - No
  7. Attack Surface - No
  8. All of the Above - Yes

Theoretically, the above approach looks appropriate to adopt but practically it’s not possible to do it manually for every vulnerability affecting every asset by every organisation.

To overcome the above challenges I have prepared an open-source framework, vPrioritizer, which gives us ability to assess the risk on different layers such as (and hence comprehensive control on granularity of each component of risk):

This framework enables us to understand the contextualized risk pertaining to each asset by each vulnerability across the organization. It’s community based analytics provides a suggested risk for each vulnerability identified by vulnerability scanners and further strengthens risk prioritization process. So at any point of time teams can make an effective and more informed decision, based on unified and standardized data, about what (vulnerability/ties) they should remediate (or can afford not to) on which (asset/s).