Synopsys Software Integrity Group, profile picture
Uploaded bySynopsys Software Integrity Group
125 views

Webinar–5 ways to risk rank your vulnerabilities

The document outlines a framework for risk-ranking vulnerabilities, emphasizing the importance of understanding the nature of vulnerabilities, their potential exploiters, their locations, and their age. It highlights that over 50% of code in many industries comprises open source, which has significant implications for security. The document also provides resources for further information on vulnerabilities and recommends assessing various factors that contribute to risk levels.

Embed presentation

Nivedita Murthy (Security Consultant) 5 Ways to Risk Rank Your Vulnerabilities
© 2019 Synopsys, Inc. 2 Used 96% Did Not Use 4% Open source usage Open source is in everything! 60% 40% 70 % 30 % Cyber security 74 % 26 % Internet & mobile apps 64 % 36 % Finance & healthcare 62 % 38 % Retail & e-commerce In 13 out of 17 industries, more than 50% of the average codebase comprised open source. Source: Synopsys Open Source Security and Risk Analysis
© 2019 Synopsys, Inc. 3 Security breaches due to open source
© 2019 Synopsys, Inc. 4 • Get more information! – CVE, Common Vulnerabilities & Exposures: https://cve.mitre.org/index.html – US-CERT: https://www.us-cert.gov/ncas/alerts – NVD, National Vulnerabilities Database: https://nvd.nist.gov – Threat intelligence – Monitor newsfeeds • Vulnerability scoring and its effectiveness – CVSS scores: https://www.first.org/cvss/ – CVSS score provided in NVD is just base score – Does not include “temporal” or “environmental” score – Environmental score differs; it is perceptive – https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator Existing methodologies
© 2019 Synopsys, Inc. 5
© 2019 Synopsys, Inc. 6 The 5 Ws
© 2019 Synopsys, Inc. 7 • What is the vulnerability all about? – XSS? – Injection? – Denial of service? – Remote code execution? • Exploit description • The easier it is, the higher the risk • The higher the damage/impact, the higher the risk What?
© 2019 Synopsys, Inc. 8 • Who can exploit this vulnerability? • What privileges does the user need to exploit this vulnerability? – None? – Admin/root? – Any authenticated user? Who?
© 2019 Synopsys, Inc. 9 • Where was this vulnerability found? What is the attack vector? – Application level? – Network level? – Server level? Where?
© 2019 Synopsys, Inc. 10 • How old is this vulnerability? • The older the wine, the finer it is • Hackers are attracted more to older vulnerabilities • 43% of codebases scanned in 2018 had vulnerabilities over 10 years old—wide landscape When?
© 2019 Synopsys, Inc. 11 • Why is it not possible to exploit this vulnerability? – Mitigating factors in environment? – Unused functionality? – Different version? Why?
© 2019 Synopsys, Inc. 12 • What • Who • Where • When Contextual decisions Impact Unauthenticated Admin/root Application/ formServer/database New Old Confidentiality IntegrityAvailability
© 2019 Synopsys, Inc. 13 Questions?
Thank You

More Related Content

PDF
Webinar–That is Not How This Works
bySynopsys Software Integrity Group
 
PDF
Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...
bySynopsys Software Integrity Group
 
PDF
Webinar–You've Got Your Open Source Audit Report–Now What?
bySynopsys Software Integrity Group
 
PDF
Webinar–Best Practices for DevSecOps at Scale
bySynopsys Software Integrity Group
 
PDF
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
bySynopsys Software Integrity Group
 
PDF
Webinar–Delivering a Next Generation Vulnerability Feed
bySynopsys Software Integrity Group
 
PDF
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...
bySynopsys Software Integrity Group
 
PDF
Webinar–OWASP Top 10 for JavaScript for Developers
bySynopsys Software Integrity Group
 
Webinar–That is Not How This Works
bySynopsys Software Integrity Group
 
Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...
bySynopsys Software Integrity Group
 
Webinar–You've Got Your Open Source Audit Report–Now What?
bySynopsys Software Integrity Group
 
Webinar–Best Practices for DevSecOps at Scale
bySynopsys Software Integrity Group
 
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
bySynopsys Software Integrity Group
 
Webinar–Delivering a Next Generation Vulnerability Feed
bySynopsys Software Integrity Group
 
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...
bySynopsys Software Integrity Group
 
Webinar–OWASP Top 10 for JavaScript for Developers
bySynopsys Software Integrity Group
 

What's hot

PDF
Webinar–Financial Services Study Shows Why Investing in AppSec Matters
bySynopsys Software Integrity Group
 
PDF
Webinar–Using Evidence-Based Security
bySynopsys Software Integrity Group
 
PDF
Webinar–The 2019 Open Source Year in Review
bySynopsys Software Integrity Group
 
PDF
Webinar–Why All Open Source Scans Aren't Created Equal
bySynopsys Software Integrity Group
 
PDF
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...
bySynopsys Software Integrity Group
 
PDF
Webinar–What You Need To Know About Open Source Licensing
bySynopsys Software Integrity Group
 
PDF
Webinar–The State of Open Source in M&A Transactions
bySynopsys Software Integrity Group
 
PDF
Webinar–Is Your Software Security Supply Chain a Security Blind Spot?
bySynopsys Software Integrity Group
 
PDF
Webinar–Mobile Application Hardening Protecting Business Critical Apps
bySynopsys Software Integrity Group
 
PPTX
Black Duck & IBM Present: Application Security in the Age of Open Source
byBlack Duck by Synopsys
 
PDF
Webinar – Streamling Your Tech Due Diligence Process for Software Assets
bySynopsys Software Integrity Group
 
PDF
Preventing Code Leaks & Other Critical Security Risks from Code
byDevOps.com
 
PDF
Webinar – Security Tool Misconfiguration and Abuse
bySynopsys Software Integrity Group
 
PDF
Webinar–AppSec: Hype or Reality
bySynopsys Software Integrity Group
 
PDF
Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CD
bySynopsys Software Integrity Group
 
PPTX
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...
byBlack Duck by Synopsys
 
PDF
Cyber Threat Intelligence: Highlights and Trends for 2020
byDevOps.com
 
PDF
Open Source Outlook: Expected Developments for 2016
byBlack Duck by Synopsys
 
PPTX
Automate and Enhance Application Security Analysis
byCarlos Andrés García
 
Webinar–Financial Services Study Shows Why Investing in AppSec Matters
bySynopsys Software Integrity Group
 
Webinar–Using Evidence-Based Security
bySynopsys Software Integrity Group
 
Webinar–The 2019 Open Source Year in Review
bySynopsys Software Integrity Group
 
Webinar–Why All Open Source Scans Aren't Created Equal
bySynopsys Software Integrity Group
 
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...
bySynopsys Software Integrity Group
 
Webinar–What You Need To Know About Open Source Licensing
bySynopsys Software Integrity Group
 
Webinar–The State of Open Source in M&A Transactions
bySynopsys Software Integrity Group
 
Webinar–Is Your Software Security Supply Chain a Security Blind Spot?
bySynopsys Software Integrity Group
 
Webinar–Mobile Application Hardening Protecting Business Critical Apps
bySynopsys Software Integrity Group
 
Black Duck & IBM Present: Application Security in the Age of Open Source
byBlack Duck by Synopsys
 
Webinar – Streamling Your Tech Due Diligence Process for Software Assets
bySynopsys Software Integrity Group
 
Preventing Code Leaks & Other Critical Security Risks from Code
byDevOps.com
 
Webinar – Security Tool Misconfiguration and Abuse
bySynopsys Software Integrity Group
 
Webinar–AppSec: Hype or Reality
bySynopsys Software Integrity Group
 
Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CD
bySynopsys Software Integrity Group
 
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...
byBlack Duck by Synopsys
 
Cyber Threat Intelligence: Highlights and Trends for 2020
byDevOps.com
 
Open Source Outlook: Expected Developments for 2016
byBlack Duck by Synopsys
 
Automate and Enhance Application Security Analysis
byCarlos Andrés García
 

Similar to Webinar–5 ways to risk rank your vulnerabilities

PDF
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...
byOutpost24
 
PDF
11th Website Security Statistics -- Presentation Slides (Q1 2011)
byJeremiah Grossman
 
PPTX
16 CVSS16 CVSS16 CVSS16 CVSS16 CVSS16 CVSS.pptx
byabhimannyubanerjee
 
PDF
Outpost24 webinar - risk based vulnerability management - what's in a risk score
byOutpost24
 
PDF
Effective Prioritization Through Exploit Prediction
byJonathan Cran
 
PDF
edgescan vulnerability stats report (2019)
byEoin Keary
 
PDF
Fix What Matters
byEd Bellis
 
PDF
Webinar–2019 Open Source Risk Analysis Report
bySynopsys Software Integrity Group
 
PPTX
Vulnerability_Management.pptx
byShriya Rai
 
PDF
Edgescan vulnerability stats report 2020
byEoin Keary
 
PPTX
WhiteSource Webinar-New Research Reveals Key Strategy to Manage Open Source S...
byWhiteSource
 
PDF
CEH v12 Lesson 5 _ Vulnerability Assessment To (1).pdf
byTrungNguyn964221
 
PDF
Risksense: 7 Experts on Threat and Vulnerability Management
byMighty Guides, Inc.
 
PPTX
The Hacking Game - Think Like a Hacker Meetup 12072023.pptx
bylior mazor
 
PPT
Vuln.ppt
bykarthikvcyber
 
PPT
Vuln_Man_91003.ppt
byKRISHNARAJ207
 
PPT
Vulnerability manager v1.0
byFinto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
PPTX
Vulnerability assessment and penetration testing
byAbu Sadat Mohammed Yasin
 
PDF
JavaZone 2023: CVE 101: A Developer's Guide to the World of Application Security
byTheresa Mammarella
 
PDF
Open Source Security for Newbies - Best Practices
byBlack Duck by Synopsys
 
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...
byOutpost24
 
11th Website Security Statistics -- Presentation Slides (Q1 2011)
byJeremiah Grossman
 
16 CVSS16 CVSS16 CVSS16 CVSS16 CVSS16 CVSS.pptx
byabhimannyubanerjee
 
Outpost24 webinar - risk based vulnerability management - what's in a risk score
byOutpost24
 
Effective Prioritization Through Exploit Prediction
byJonathan Cran
 
edgescan vulnerability stats report (2019)
byEoin Keary
 
Fix What Matters
byEd Bellis
 
Webinar–2019 Open Source Risk Analysis Report
bySynopsys Software Integrity Group
 
Vulnerability_Management.pptx
byShriya Rai
 
Edgescan vulnerability stats report 2020
byEoin Keary
 
WhiteSource Webinar-New Research Reveals Key Strategy to Manage Open Source S...
byWhiteSource
 
CEH v12 Lesson 5 _ Vulnerability Assessment To (1).pdf
byTrungNguyn964221
 
Risksense: 7 Experts on Threat and Vulnerability Management
byMighty Guides, Inc.
 
The Hacking Game - Think Like a Hacker Meetup 12072023.pptx
bylior mazor
 
Vuln.ppt
bykarthikvcyber
 
Vuln_Man_91003.ppt
byKRISHNARAJ207
 
Vulnerability manager v1.0
byFinto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
Vulnerability assessment and penetration testing
byAbu Sadat Mohammed Yasin
 
JavaZone 2023: CVE 101: A Developer's Guide to the World of Application Security
byTheresa Mammarella
 
Open Source Security for Newbies - Best Practices
byBlack Duck by Synopsys
 

More from Synopsys Software Integrity Group

PDF
Webinar–Segen oder Fluch?
bySynopsys Software Integrity Group
 
PDF
Webinar–Sécurité Applicative et DevSecOps dans un monde Agile
bySynopsys Software Integrity Group
 
PDF
Webinar – Software Security 2019–Embrace Velocity
bySynopsys Software Integrity Group
 
PDF
Webinar - Developers Are Your Greatest AppSec Resource
bySynopsys Software Integrity Group
 
PDF
Webinar – Using Metrics to Drive Your Software Security Initiative
bySynopsys Software Integrity Group
 
PDF
Webinar – Risk-based adaptive DevSecOps
bySynopsys Software Integrity Group
 
PDF
Webinar–Vulnerabilities in Containerised Production Environments
bySynopsys Software Integrity Group
 
PDF
Infographic–A Look Back at the First Year of GDPR
bySynopsys Software Integrity Group
 
PDF
Webinar–Open Source Risk in M&A by the Numbers
bySynopsys Software Integrity Group
 
PPTX
Webinar–Reviewing Modern JavaScript Applications
bySynopsys Software Integrity Group
 
Webinar–Segen oder Fluch?
bySynopsys Software Integrity Group
 
Webinar–Sécurité Applicative et DevSecOps dans un monde Agile
bySynopsys Software Integrity Group
 
Webinar – Software Security 2019–Embrace Velocity
bySynopsys Software Integrity Group
 
Webinar - Developers Are Your Greatest AppSec Resource
bySynopsys Software Integrity Group
 
Webinar – Using Metrics to Drive Your Software Security Initiative
bySynopsys Software Integrity Group
 
Webinar – Risk-based adaptive DevSecOps
bySynopsys Software Integrity Group
 
Webinar–Vulnerabilities in Containerised Production Environments
bySynopsys Software Integrity Group
 
Infographic–A Look Back at the First Year of GDPR
bySynopsys Software Integrity Group
 
Webinar–Open Source Risk in M&A by the Numbers
bySynopsys Software Integrity Group
 
Webinar–Reviewing Modern JavaScript Applications
bySynopsys Software Integrity Group
 

Recently uploaded

PPTX
Road_Quality_Indicator using deeplearning algorithms and computer vision
byDHARUNPRASHOBMM
 
PDF
Using Agentic RAG for Research - Demonstration of NotebookLM
byRathish Chandra Gatti,Ph.D
 
PPTX
Fast-tracking quality for hundreds applications with automated testing layers
byBogdan Plieshka
 
PPTX
OTT Content Analytics Enhanced by ALTBalaji Data Scraping.pptx
byyashpatric
 
PDF
Database Management Systems(DBMS):UNIT-I Introduction to Database(DBMS) BCA S...
byKuvempu University
 
PDF
One Agent to Rule Them All - The Fellowship of AI Agents
byIvo Andreev
 
PDF
DSD-INT 2025 Integrating Nature-Based Solutions into Hydrological Models A Li...
byDeltares
 
PDF
Solved First Semester B.C.A. C Programming Question Paper – Jan/Feb 2025
byKuvempu University
 
PDF
Cloud-Based Underwriting Software for Insurance
byInsurance Tech Services
 
PPTX
Privacy Preserving Detection of Sensitive Data Exposure (1).pptx
byNikitaMandhan4
 
PDF
Database Management Systems(DBMS):UNIT-II Relational Data Model BCA SEP SEM ...
byKuvempu University
 
PDF
TNG_Architecting Green Software - An Introduction_Nils-Oliver Linden&Alexande...
byQAware GmbH
 
PDF
DSD-INT 2025 Latest Developments for HydroMT and wflow - Meshgi
byDeltares
 
PDF
Constraints First - Why Our On-Prem Ticketing System Starts With Limits, Not ...
bySpirit Face
 
PPTX
Week 7 Introduction to HTML PowerPoint Notes.pptx
bylesandawelgens
 
PDF
Cybersecurity Alert- What Organisations Must Watch Out For This Christmas Fes...
byCybernetic Global Intelligence
 
PDF
DSD-INT 2025 Managing low flows in the International Meuse Basin with Nature-...
byDeltares
 
PDF
DSD-INT 2025 Hydrological Modelling in Society Assumptions, Impacts, and Appl...
byDeltares
 
PDF
Jeremy Millul - An NYU Computer Science Graduate
byJeremy Millul
 
PPTX
Modern P&C Insurance Software for Smarter, Faster Operations.pptx
byInsurance Tech Services
 
Road_Quality_Indicator using deeplearning algorithms and computer vision
byDHARUNPRASHOBMM
 
Using Agentic RAG for Research - Demonstration of NotebookLM
byRathish Chandra Gatti,Ph.D
 
Fast-tracking quality for hundreds applications with automated testing layers
byBogdan Plieshka
 
OTT Content Analytics Enhanced by ALTBalaji Data Scraping.pptx
byyashpatric
 
Database Management Systems(DBMS):UNIT-I Introduction to Database(DBMS) BCA S...
byKuvempu University
 
One Agent to Rule Them All - The Fellowship of AI Agents
byIvo Andreev
 
DSD-INT 2025 Integrating Nature-Based Solutions into Hydrological Models A Li...
byDeltares
 
Solved First Semester B.C.A. C Programming Question Paper – Jan/Feb 2025
byKuvempu University
 
Cloud-Based Underwriting Software for Insurance
byInsurance Tech Services
 
Privacy Preserving Detection of Sensitive Data Exposure (1).pptx
byNikitaMandhan4
 
Database Management Systems(DBMS):UNIT-II Relational Data Model BCA SEP SEM ...
byKuvempu University
 
TNG_Architecting Green Software - An Introduction_Nils-Oliver Linden&Alexande...
byQAware GmbH
 
DSD-INT 2025 Latest Developments for HydroMT and wflow - Meshgi
byDeltares
 
Constraints First - Why Our On-Prem Ticketing System Starts With Limits, Not ...
bySpirit Face
 
Week 7 Introduction to HTML PowerPoint Notes.pptx
bylesandawelgens
 
Cybersecurity Alert- What Organisations Must Watch Out For This Christmas Fes...
byCybernetic Global Intelligence
 
DSD-INT 2025 Managing low flows in the International Meuse Basin with Nature-...
byDeltares
 
DSD-INT 2025 Hydrological Modelling in Society Assumptions, Impacts, and Appl...
byDeltares
 
Jeremy Millul - An NYU Computer Science Graduate
byJeremy Millul
 
Modern P&C Insurance Software for Smarter, Faster Operations.pptx
byInsurance Tech Services
 

Webinar–5 ways to risk rank your vulnerabilities

  • 1.
    Nivedita Murthy (SecurityConsultant) 5 Ways to Risk Rank Your Vulnerabilities
  • 2.
    © 2019 Synopsys,Inc. 2 Used 96% Did Not Use 4% Open source usage Open source is in everything! 60% 40% 70 % 30 % Cyber security 74 % 26 % Internet & mobile apps 64 % 36 % Finance & healthcare 62 % 38 % Retail & e-commerce In 13 out of 17 industries, more than 50% of the average codebase comprised open source. Source: Synopsys Open Source Security and Risk Analysis
  • 3.
    © 2019 Synopsys,Inc. 3 Security breaches due to open source
  • 4.
    © 2019 Synopsys,Inc. 4 • Get more information! – CVE, Common Vulnerabilities & Exposures: https://cve.mitre.org/index.html – US-CERT: https://www.us-cert.gov/ncas/alerts – NVD, National Vulnerabilities Database: https://nvd.nist.gov – Threat intelligence – Monitor newsfeeds • Vulnerability scoring and its effectiveness – CVSS scores: https://www.first.org/cvss/ – CVSS score provided in NVD is just base score – Does not include “temporal” or “environmental” score – Environmental score differs; it is perceptive – https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator Existing methodologies
  • 5.
  • 6.
    © 2019 Synopsys,Inc. 6 The 5 Ws
  • 7.
    © 2019 Synopsys,Inc. 7 • What is the vulnerability all about? – XSS? – Injection? – Denial of service? – Remote code execution? • Exploit description • The easier it is, the higher the risk • The higher the damage/impact, the higher the risk What?
  • 8.
    © 2019 Synopsys,Inc. 8 • Who can exploit this vulnerability? • What privileges does the user need to exploit this vulnerability? – None? – Admin/root? – Any authenticated user? Who?
  • 9.
    © 2019 Synopsys,Inc. 9 • Where was this vulnerability found? What is the attack vector? – Application level? – Network level? – Server level? Where?
  • 10.
    © 2019 Synopsys,Inc. 10 • How old is this vulnerability? • The older the wine, the finer it is • Hackers are attracted more to older vulnerabilities • 43% of codebases scanned in 2018 had vulnerabilities over 10 years old—wide landscape When?
  • 11.
    © 2019 Synopsys,Inc. 11 • Why is it not possible to exploit this vulnerability? – Mitigating factors in environment? – Unused functionality? – Different version? Why?
  • 12.
    © 2019 Synopsys,Inc. 12 • What • Who • Where • When Contextual decisions Impact Unauthenticated Admin/root Application/ formServer/database New Old Confidentiality IntegrityAvailability
  • 13.
    © 2019 Synopsys,Inc. 13 Questions?
  • 14.