Methods and systems for improved risk scoring of vulnerabilities

摘要

A security tool can identify vulnerabilities in a computing system and determine a risk level of the vulnerabilities based on base and optional CVSS vectors and additional factors that represent the evolving nature of vulnerabilities. Likewise, the security tool can determine an overall risk for vulnerabilities, an asset, and/or a collection of assets that encompasses a global view of an asset's risk and/or collection of assets' risk, business considerations of an entity that own and controls the asset and/or the collection of assets, and the entity's associations.

主权项

1. A method for security testing, comprising:
identifying a vulnerability in an asset; executing a security tool, using one or more processors, to determine whether the vulnerability is exploitable, wherein the determination whether the vulnerability is exploitable is based at least partially on information from one or more security sources; determining a risk level of the vulnerability based at least partially on whether the vulnerability is exploitable; determining a new risk level for a future time based at least partially on factors utilized to determine the risk level; and determining a remediation strategy for the vulnerability in the asset according to a determined priority of remediation of vulnerabilities based at least partially on any combination of the risk level, the new risk level, business importance, an overall risk, risk aggregation in relation to risk thresholds, cost of remediation, and/or uptime requirements; and determining a residual risk of the vulnerability based on an effectiveness of the remediation strategy.