Vulnerability Prioritization: An Offensive Security Approach
This work addresses the challenge for organizations in managing vulnerabilities more effectively, though it appears incremental as it builds on existing prioritization methods.
The paper tackles the problem of vulnerability prioritization in cloud environments by proposing a new approach inspired by offensive security practices, achieving improved accuracy through a real-world case study and machine learning automation.
Organizations struggle to handle sheer number of vulnerabilities in their cloud environments. The de facto methodology used for prioritizing vulnerabilities is to use Common Vulnerability Scoring System (CVSS). However, CVSS has inherent limitations that makes it not ideal for prioritization. In this work, we propose a new way of prioritizing vulnerabilities. Our approach is inspired by how offensive security practitioners perform penetration testing. We evaluate our approach with a real world case study for a large client, and the accuracy of machine learning to automate the process end to end.