Set vulnerability patching priorities

There is a myth that the proverbial developer can fix each and every vulnerability, but that’s just not possible if the management team hasn’t prioritized resolution. To work effectively, patch priorities should align with the business importance of the asset being patched, the criticality of the asset, and the risk of exploitation.

However, as noted earlier, it’s also important to understand that your patch policies for commercial software and open source components will differ. While commercial vendors can push updates and security information to you, open source patches originate from either the root project or the distribution channel where the component was originally obtained.

Only a fraction of open source vulnerabilities—such as those affecting Apache Struts or OpenSSL—are likely to be widely exploited. With that in mind, organizations should prioritize their mitigation efforts by using CVSS scores and Common Weakness Enumeration (CWE) information, as well as the availability of exploits, not only on “day zero” of a vulnerability disclosure but over the life cycle of the open source component.

Vulnerabilities in the National Vulnerability Database (NVD) have a base score that aids in calculating severity and can be used as a factor for prioritizing remediation. Software composition analysis (SCA) solutions such as Black Duck provide a temporal score in addition to the CVSS base, exploitability, and impact scores. Temporal scores are based on metrics that change over time due to external events. Remediation levels (Is there an official fix available?) and report confidence (Is this report confirmed?) additionally help temper the overall CVSS score to an appropriate level of risk.

CWE is a list of software or hardware weakness types that have security ramifications. A CWE tells developers which weakness leads to the vulnerability in question. This information can help clarify what you’re dealing with and adds one more piece of information to help assess the severity of the vulnerability. For example, a development team may prioritize a SQL injection differently than a buffer overflow or denial of service.

The existence of an exploit will raise the risk score and help remediation teams prioritize the highest-risk vulnerabilities first. Understanding whether there is an existing solution or workaround is another key piece of information to look to once you have assessed the overall risk. If you have two medium-risk vulnerabilities without exploits available, the final determination of which to fix first might come down to whether either of them has a solution or workaround available.