vPrioritizer enables us to understand the contextualized risk (vPRisk) on asset-vulnerability relationship level across the organization, for teams to make more informed decision about what (vulnerability/ties) they should remediate (or can afford not to) and on which (asset/s)
Thanks for all the good work automating things here. It looks like an important project.
Asset significance and vulnerability severity may not be the right concepts for the prioritization decision though. What are your thoughts on using something like SSVC?
https://github.com/CERTCC/SSVC
It's mostly conceptual so far, but you've done the hard coding work already, the prioritization decision is a small plug-in that is available there, once the data is collected. What would it take to make the decision a bit more transparent along the lines of SSVC? Would that be worthwhile?
Thanks for all the good work automating things here. It looks like an important project. Asset significance and vulnerability severity may not be the right concepts for the prioritization decision though. What are your thoughts on using something like SSVC? https://github.com/CERTCC/SSVC
It's mostly conceptual so far, but you've done the hard coding work already, the prioritization decision is a small plug-in that is available there, once the data is collected. What would it take to make the decision a bit more transparent along the lines of SSVC? Would that be worthwhile?