Sightings

[j---]

Good work from Yahoo using SSVC:
https://github.com/theparanoids/PrioritizedRiskRemediation
The Risk Remediation Taxonomy and Decision Tree are part of a conference presentation by Yahoo Chris Madden: https://www.bsidesdub.ie/ May 27 2023.

See the slide deck and the recording.

[j---]

Post from Nucleus Security research lead:
https://www.linkedin.com/posts/patrickmgarrity_a-guide-to-automating-vulnerability-prioritization-activity-7087527275583205376-fobq

[sei-vsarvepalli]

More from Nucleus on youtube interview about 6 months before the article https://www.youtube.com/watch?v=LV6PclEQ3QA&t=42s

[j---]

Webinar with Chris Madden and Stephen Shaffer hosted by Nucleus. https://www.youtube.com/watch?v=25RHdcSwHCg

[sei-vsarvepalli]

Fortinet's FortiSOAR (Managed SOC Services) also had a linked in post mentioning use of SSVC, but details are still being tracked down from Amit Jain https://www.linkedin.com/posts/amitjainixd_fortisoar-cisa-nvd-activity-7079009317193998336-9N-d?utm_source=share&utm_medium=member_desktop

[sei-vsarvepalli]

More on FortiSOAR in the youtube demo of their use of SSVC in their managed SOC workflow:
https://youtu.be/eZekKteZbLE?si=e9Hq7DWQWlBWfNKF&t=735

[sei-vsarvepalli]

Qualys - https://blog.qualys.com/product-tech/2022/11/30/effective-vulnerability-management-with-ssvc-and-qualys-trurisk
Tar Logic - https://www.tarlogic.com/blog/ssvc/
Endor Labs - https://www.endorlabs.com/blog/cve-vulnerability-epss-ssvc-reachability-vex
Stephen Shaffer - https://stephenshaffer.io/flipping-the-vulnerability-management-model-cvss-ssvc-aaa78f1426e1
Future Corp - https://vuls.biz/en/features_ssvc

Just dumping from my notes before I loose these.

[ahouseholder]

Should we be capturing these in a page in the docs/ hierarchy? We have some video and other links in https://certcc.github.io/SSVC-staging/tutorials/ (docs/tutorials/index.md) but I wonder if a separate sightings page would be useful. Maybe either in the docs/about section? or even as a sidebar or inset on the home page https://certcc.github.io/SSVC-staging/ (docs/index.md)?

[ahouseholder]

• 2023-11-04 Taking The Next Steps For Vulnerability Risk with SSVC https://www.silk.security/vulnerability-management-lifecycle/ssvc

• 2023-11-14 How to Prioritize AppSec Risks: CVSS, EPSS, and Too Much Data https://www.youtube.com/watch?v=gxZ1Twa35Po

• 2023-11-17 What the heck is: Vulnerability Management in CMMC? https://www.totem.tech/vulnerability-management-for-cmmc/

• 2023-12-18 Will Putting a Dollar Value on Vulnerabilities Help Prioritize Them? https://www.darkreading.com/application-security/putting-dollar-value-vulnerabilities-prioritize

• 2024-01-25 From Millions to Minimal Risks via SSVC-based Risk Prioritization https://www.youtube.com/watch?v=VSNL8Eq1yXY

• (undated) SanerNow claims "Prioritizes vulnerabilities based on risks, exploitability level, and high-fidelity attack mapping using the world's first SSVC-based framework." https://www.secpod.com/sanernow-vs-manageengine/

[ahouseholder]

2024-02-14 Applying Vulnerability Intelligence to CVSS and SSVC Frameworks https://www.youtube.com/watch?v=Gn1t7ljdSH0

2024-02-15 No More Business As Usual: Vulnerability Management Focused On Managing Risk https://www.spiceworks.com/it-security/vulnerability-management/guest-article/best-vulnerability-management-practices/

2024-02-24 5 Things to Consider Before Using SSVC Vulnerability Prioritization Framework https://nucleussec.com/blog/5-things-to-consider-before-using-ssvc-to-automate-vulnerability-prioritization/

[ahouseholder]

2024-02-15 The SSVC risk prioritization method: what it is, when to use it, and alternatives https://vulcan.io/blog/the-ssvc-risk-prioritization-method-what-it-is-when-to-use-it-and-alternatives/

[tdsnoke]

11-16-2022 Using ssvc decision trees intelligence-led vulnerability management https://nucleussec.com/blog/ssvc-decision-trees-intelligence-led-vulnerability-management

[sei-vsarvepalli]

Yotam Perkal talk on SSVC
https://www.first.org/resources/papers/vulncon2024/VulnCon-Why-Can-t-We-All-Just-Get-Along.pdf

[sei-vsarvepalli]

Pinochle.AI
https://www.linkedin.com/pulse/stakeholder-specific-vulnerability-categorization-ssvc

Silk Security blog
https://www.linkedin.com/pulse/taking-next-steps-vulnerability-risk-ssvc-silk-security-mpbse

[ahouseholder]

2024-03: Risk Based Prioritization https://riskbasedprioritization.github.io/ uses a customized SSVC derived from CISA's implementation that incorporates threat feeds and other operational data in improving vulnerability response decisions.

[ahouseholder]

2024-05-09: CISA Vulnrichment adds SSVC decision point info from CISA analysts to CVE data as an ADP provider.

On github:

• https://github.com/cisagov/vulnrichment

Media coverage:

• https://www.securityweek.com/cisa-announces-cve-enrichment-project-vulnrichment/
• https://www.helpnetsecurity.com/2024/05/09/cisa-vulnrichment-cve-enrichment/
• https://www.infosecurity-magazine.com/news/cisa-launches-vulnrichment-program/

[ahouseholder]

Chris Hughes; Nikki Robinson, "Vulnerability Scoring and Software Identification," in Effective Vulnerability Management: Managing Risk in the Vulnerable Digital Ecosystem , Wiley, 2024, pp.79-114, doi: 10.1002/9781394277155.ch5. keywords: {Measurement;Organizations;Vectors;Software;NIST;Databases;Industries},

• https://ieeexplore.ieee.org/abstract/document/10494612 is a chapter in Effective Vulnerability Management: Managing Risk in the Vulnerable Digital Ecosystem

Chapter Abstract: This chapter discusses both the pros and cons of various scoring systems. The aim of Common Vulnerability Scoring System (CVSS) is to output a numerical score indicating the severity of a vulnerability among the broader collection of known vulnerabilities. There are four metric groups in CVSS 4.0: base, threat, environmental, and supplemental. The chapter looks at the evolving Exploit Prediction Scoring System (EPSS) model. EPSS aids practitioners and organizations who are looking to improve their vulnerability management activities. Stakeholder‐Specific Vulnerability Categorization (SSVC) utilizes decision trees to aid in vulnerability prioritization and seeks to address some of the shortfalls and critiques of more prominent options such as CVSS. SSVC's use of decision trees includes various elements of a decision, potential decision values, and potential outcomes. Various stakeholders from software and technology suppliers, consumers, vendors, and researchers use software identification formats to tie software and products to a specific vendor, for example.

[ahouseholder]

A paper was presented at the 41st Symposium on Cryptography and Information Security (SCIS2024) in Nagasaki earlier this year:

(Translated from Japanese by Google Translate)

1E1-3 Proposal of an SSVC decision tree considering the possibility of attack reach and SBOM cooperation,
Katsunori Hanano (PwC Consulting LLC), Naosho Kawahara (Okayama University), Junichi Murakami (PwC Consulting LLC), Yasuyuki Nogami (Okayama University)

Although the slides & paper have been shared with us, I don't currently have a link to a public version of them to share. We're in touch with the research team to see about integrating their suggestions though, keep an eye on new issues for further developments on that front.

[ahouseholder]

Looks like FutureVuls, Japanese tool, implements some support for SSVC:

• English page https://help.vuls.biz/en/manual/csirt_option/ssvc/
• Japanese page (more detail, use browser translation for non-jp) https://help.vuls.biz/manual/csirt_option/ssvc/explanation/

[sei-vsarvepalli]

BitSight on SSVC real world data analysis from CISA's vulnrichment information.

https://www.bitsight.com/blog/do-we-need-yet-another-vulnerability-scoring-system-ssvc-thats-yass

[ahouseholder]

The Challenge of Sticking to CISA’s Vulnerability Framework

The Cybersecurity and Infrastructure Security Agency created a framework for prioritizing vulnerabilities but following it manually can be a challenge. Here’s why, and what organizations can do to stay safe.

https://www.informationweek.com/cyber-resilience/the-challenge-of-sticking-to-cisa-s-vulnerability-framework

[ahouseholder]

Not a media report, but SSVC support is under consideration in OASIS CSAF

https://groups.oasis-open.org/discussion/motion-for-803#bm87c96b9f-de9e-4b75-9a60-25f534cfbbda