TEL AVIV, Israel, June 23, 2020 /PRNewswire/ -- WhiteSource, the leader in open source security and license compliance management, and CYR3CON, which predicts cybersecurity attacks based on AI-gathered intelligence from hacker communities, release in collaboration with d today their joint research report on security vulnerability prioritization through the eyes of hackers.
As technology constantly advances, software development teams are bombarded with security alerts at an increasing rate. This has made it nearly impossible to remediate every vulnerability, rendering the ability to properly prioritize remediation all the more critical.
This research examines the most common methods software development teams use to prioritize software vulnerabilities for remediation and compares those practices to data gathered from the discussions of hacker communities, including the dark web and deep web.
Key findings in the report include:
- Software development teams tend to prioritize based on available data such as vulnerability severity score (CVSS), ease of remediation, and publication date, but hackers don't target vulnerabilities based on these parameters.
- Hackers are drawn to specific vulnerability types (CWEs), including CWE-20 (Input Validation), CWE-125 (Out-of-bound Read), CWE-79 (XSS), and CWE-200 (Information Leak/Disclosure).
- Organizations tend to prioritize "fresh" vulnerabilities, while hackers often discuss vulnerabilities for over 6 months following exploitation, with even older vulnerabilities re-emerging in hacker community discussions as they reappear in new exploits or malware.
"As development teams face an ever-rising number of disclosed vulnerabilities, it becomes impossible to fix everything and it's imperative that teams focus on addressing the most urgent issues first," said Rami Sass, CEO and co-founder of WhiteSource. "Our research can help organizations adopt a solid prioritization method, and ensure they look beyond just the most accessible data to the data that can best help them fix the security vulnerabilities that could cause the greatest impact, and in turn save them valuable time."
"All too often companies unknowingly accept risk by using outdated methods of vulnerability prioritization - and this report sheds light on the shortcomings of those approaches. Combining threat intelligence and machine learning overcomes those shortcomings, highlighting previously unidentified risks in the process," said Paulo Shakarian, CYR3CON CEO & Co-Founder. "Our CyRating score, which originates from our own peer-reviewed scientific research, was designed to scale the process of analyzing vulnerabilities and rapidly shed light on the hackers' perspective of what they will exploit. Many top-tier teams today use CYR3CON to provide the knowledge they need to conduct this analysis in a manner that scales."
WhiteSource is the pioneer of open source security and license compliance management. Founded in 2011, its vision is to empower businesses to develop better software by harnessing the power of open source. WhiteSource is used by more than 800 customers worldwide, from all verticals, and sizes, including 23% of Fortune 100 companies, as well as industry leaders such as Microsoft, IBM, Comcast and many more. For more information, please visit www.WhiteSourceSoftware.com
CYR3CON combines hacker-community threat intelligence with machine learning to predict threats to enterprise technology. The CYR3CON approach leverages peer-reviewed science and comprehensive threat intelligence to rapidly inform security teams. Multiple Fortune 500 companies use CYR3CON's SaaS-based offering that includes both an API and web-based option. CYR3CON routinely identifies major cyber threats in clients prior to purchase. For more information, please visit https://www.cyr3con.ai/