A high-level overview of the Vulnerability Risk Rating (VRR) scoring methodology and why it’s useful.
By capturing threat context in our Vulnerability Risk Rating (VRR), RiskSense can consistently prioritize vulnerabilities that are critical indicators of potential compromise across host and application findings.
What is Vulnerability Risk Rating (VRR)?
VRR represents the risk posed by a given vulnerability, provided as a numerical score between 0 and 10. The higher the risk, the higher the VRR. The score quantifies adversarial risk by leveraging standardized metrics and knowledge gathered by application scanners through black-box testing. For applications, industry-standard sources such as the 2019 CWE Top 25 Most Dangerous Software Errors and 2017 OWASP Top 10 are combined with subject matter expertise from penetration testers to build data-driven models used to inform the scoring algorithm.
How does Vulnerability Risk Rating differ from other scoring methods?
The Common Vulnerability Scoring System (CVSS) alone cannot provide a complete picture of the severity posed by a software vulnerability. In addition, while vulnerability scanners are helpful and reliable security testing tools in identifying potential security threats and architectural weaknesses, they lack the ability to provide additional context within specific environments.
Network vulnerabilities are frequently associated with Common Vulnerabilities and Exposures (CVEs) and are given a CVSS score. However, according to the National Vulnerability Database (NVD), 59% of vulnerabilities are considered High or Critical. Using CVSS for prioritization purposes is impossible in this situation, and little to no clarifying threat context is provided by the NVD.
Application vulnerabilities are even more challenging to quantify, with very few being associated with CVEs. In these instances, we rely instead on Common Weakness Enumerations (CWEs), more generally appropriate for application weaknesses. Some CWEs are provided standardized scores, while others are not.
To address these inconsistencies, VRR utilizes a combination of scanner information and RiskSense’s threat intelligence to widen the lens on these application weaknesses, building a larger body of context for each one. Rather than categorically increasing base level scores (resulting in risk inflation), the VRR algorithm intelligently separates and elevates the riskiest weaknesses, allowing you to prioritize effectively with scores that are both accurate and actionable.
Why is Vulnerability Risk Rating important?
In order to improve vulnerability remediation strategies, organizations need to accurately measure impact and determine the likelihood that a vulnerability will be exploited. By factoring in threat intelligence and human cognition, vulnerabilities become actionable via a thorough understanding of their full context, including environments in which they are found and any active exploits. Organizations require a well-rounded view of vulnerabilities if they are to prioritize remediation. By infusing the approach with subject matter expertise and threat intelligence, VRR becomes essential for optimizing risk management of your organization’s infrastructure and applications.
Critical: 9.0 ≤ VRR ≤ 10.0
High: 7.0 ≤ VRR < 9.0
Medium: 4.0 ≤ VRR < 7.0
Low: 0.0 < VRR < 4.0
Informational: VRR = 0.0