WhiteSource, a leading open source management company, and CYR3CON, which provides cybersecurity security attacks based on information gathered through it AI hacking communities hacked by hackers released their joint research report today on the prioritization of security vulnerabilities. The research aims to compare how differently they affect vulnerabilities, companies and hackers.
As technology continues to evolve, software development teams are being bombarded with increasing security. This made it almost impossible to restore any vulnerability, making it capable hierarchy vulnerabilities even more critical.
This research examines the most common methods used by software development teams to prioritize software vulnerabilities for recovery and compares these practices with data collected from hackers' discussions in various forums, including Dark web and deep web.
Its basic findings report are the following:
- Software development teams tend to prioritize based on available data, such as degree of severity of vulnerability (CVSS), ease of recovery, and date of publication, but hackers do not target vulnerabilities based on these parameters.
- Hackers are attracted to specific types of vulnerabilities (CWE), including CWE-20, CWE-125, CWE-79 (XSS) and CWE-200.
- Organizations tend to prioritize "new" vulnerabilities, with hackers often discussing vulnerabilities for more than 6 months after exploitation, and even older vulnerabilities reappearing in hackers' discussions as they reappear in new exploits or malware.
"As development teams face a growing number of vulnerabilities being uncovered, it becomes impossible to fix everything and it is imperative that teams focus on the most pressing issues first," said Rami Sass, CEO and co-founder of WhiteSource. "Our research can help organizations adopt a consistent prioritization method and ensure that they see beyond the most accessible data. Just to look at the data that can help them fix the security vulnerabilities that could cause the biggest impact to the company."
"Too often, companies unknowingly take the risk by using outdated vulnerability prioritization methods - and this report sheds light on the weaknesses of these approaches. Its combination threat intelligence and mechanical learning overcomes these weaknesses by identifying previously unrecognized risks in the process, ”said Paulo Shakarian, CYR3CON CEO & Co-Founder. "Our CyRating score, which comes from our peer-reviewed scientific research, was designed to scale the analysis process. vulnerabilities and quickly shed light on the hackers' perspective on what they will exploit. ”