How to Prioritize AppSec Risks: CVSS, EPSS, and Too Much Data

In this session from LeanAppSec Fall 2023, Stephen Shaffer (Staff Security Automation Engineer, Peloton) and Darren Meyer (Lead Solution Architect, Endor Labs) discuss the pros and cons of different ways to prioritize AppSec risk, including CVSS, EPSS, SSVC, KEV, and reachability analysis. 00:41 - Introducing the speakers 2:31 - Overview of the different risk prioritization methods 3:17 - What is the Common Vulnerability Scoring System (CVSS)? 5:20 - What is the Exploit Prediction Scoring System (EPSS)? 8:55 - What is Stakeholder-Specific Vulnerability Categorization (SSVC)? 13:08 - What is KEV? 16:18 - What is reachability analysis and how does it figure in? 17:30 - First steps to implement a risk prioritization program 18:33 - Risk prioritization and the SLDC 23:23 - Using policies and breaking builds 25:11 - Frequency of code scanning 27:20 - Operational risks and advanced supply chain attacks 28:54 - Using reachability analysis to get context on whether a risk impacts you 36:21 - Using policies for open source software selection 41:19 - Key takeaways 42:40 - Advice for new AppSec professionals —Learn More— How Should I Prioritize Software Vulnerabilities? https://www.endorlabs.com/blog/cve-vulnerability-epss-ssvc-reachability-vex Combining the Exploit Prediction Scoring System (EPSS) with Reachability Analysis to Optimize Your Vulnerability Management Program https://www.endorlabs.com/blog/epss-exploit-prediction-reachability-analysis —LeanAppSec by Endor Labs— LeanAppSec is an application security educational program by Endor Labs. It includes quarterly live events featuring industry experts (like this video) and on demand courses. https://www.leanappsec.com/ —--------------------------- Follow Us on LinkedIn https://www.linkedin.com/company/endorlabs Learn More About Endor Labs https://www.endorlabs.com/