search

varchashva / vPrioritizer

vPrioritizer enables us to understand the contextualized risk (vPRisk) on asset-vulnerability relationship level across the organization, for teams to make more informed decision about what (vulnerability/ties) they should remediate (or can afford not to) and on which (asset/s)
GNU General Public License v3.0
70 stars 10 forks source link

Prioritization method #2

Open j--- opened 3 years ago

j--- commented 3 years ago

Thanks for all the good work automating things here. It looks like an important project. Asset significance and vulnerability severity may not be the right concepts for the prioritization decision though. What are your thoughts on using something like SSVC? https://github.com/CERTCC/SSVC

It's mostly conceptual so far, but you've done the hard coding work already, the prioritization decision is a small plug-in that is available there, once the data is collected. What would it take to make the decision a bit more transparent along the lines of SSVC? Would that be worthwhile?

varchashva commented 3 years ago

thanks @j--- , I will look into this surely.