Our great sponsors
-
cve-scanner-testing
Vulnerable Docker images created in different ways to check Docker image CVE scanners
-
SurveyJS
Open-Source JSON Form Builder to Create Dynamic Forms Right in Your App. With SurveyJS form UI libraries, you can build and style forms in a fully-integrated drag & drop form builder, render them in your JS app, and store form submission data in any backend, inc. PHP, ASP.NET Core, and Node.js.
so on this point i disagree with the author. depending on what you want to do, two methodologies i've used in the past have worked well for me: - EPSS - exploit predictability scoring system. how likely is this to be exploited? for many a key metric in patching prioritization - SSVC - stakeholder specific vulnerability categorization, comes to one of four outcomes for patching - immediately, emergency window, next scheduled window, or whenever. gets to how severe an impact would be on the business as a whole.
I'd be a bit skeptical about claims that the vendors do much more than CVSS, especially that last time I checked even the coverage was lacklustre. I could not see any trend that showed that these actually exploitable vulnerabilities are somehow ranked higher than CVSS (data on that here). Granted it was aa while ago and specifically on docker images/containers and I have not looked at Tenable for example.
Related posts
- Catalog of zero-day vulnerabilities
- Announcing Pyscan: A dependency vulnerability scanner for python projects.
- Distributed vulnerability database for Open Source
- OSV-Scanner| Vulnerability Scanner for Open Source from Google
- Vulnerability databases that we can use as part of software supply chain security