Sightings

[j---]

Good work from Yahoo using SSVC:
https://github.com/theparanoids/PrioritizedRiskRemediation
The Risk Remediation Taxonomy and Decision Tree are part of a conference presentation by Yahoo Chris Madden: https://www.bsidesdub.ie/ May 27 2023.

See the slide deck and the recording.

[j---]

Post from Nucleus Security research lead:
https://www.linkedin.com/posts/patrickmgarrity_a-guide-to-automating-vulnerability-prioritization-activity-7087527275583205376-fobq

[sei-vsarvepalli]

More from Nucleus on youtube interview about 6 months before the article https://www.youtube.com/watch?v=LV6PclEQ3QA&t=42s

[j---]

Webinar with Chris Madden and Stephen Shaffer hosted by Nucleus. https://www.youtube.com/watch?v=25RHdcSwHCg

[sei-vsarvepalli]

Fortinet's FortiSOAR (Managed SOC Services) also had a linked in post mentioning use of SSVC, but details are still being tracked down from Amit Jain https://www.linkedin.com/posts/amitjainixd_fortisoar-cisa-nvd-activity-7079009317193998336-9N-d?utm_source=share&utm_medium=member_desktop

[sei-vsarvepalli]

More on FortiSOAR in the youtube demo of their use of SSVC in their managed SOC workflow:
https://youtu.be/eZekKteZbLE?si=e9Hq7DWQWlBWfNKF&t=735

[sei-vsarvepalli]

Qualys - https://blog.qualys.com/product-tech/2022/11/30/effective-vulnerability-management-with-ssvc-and-qualys-trurisk
Tar Logic - https://www.tarlogic.com/blog/ssvc/
Endor Labs - https://www.endorlabs.com/blog/cve-vulnerability-epss-ssvc-reachability-vex
Stephen Shaffer - https://stephenshaffer.io/flipping-the-vulnerability-management-model-cvss-ssvc-aaa78f1426e1
Future Corp - https://vuls.biz/en/features_ssvc

Just dumping from my notes before I loose these.

[ahouseholder]

Should we be capturing these in a page in the docs/ hierarchy? We have some video and other links in https://certcc.github.io/SSVC-staging/tutorials/ (docs/tutorials/index.md) but I wonder if a separate sightings page would be useful. Maybe either in the docs/about section? or even as a sidebar or inset on the home page https://certcc.github.io/SSVC-staging/ (docs/index.md)?

[ahouseholder]

• 2023-11-04 Taking The Next Steps For Vulnerability Risk with SSVC https://www.silk.security/vulnerability-management-lifecycle/ssvc

• 2023-11-14 How to Prioritize AppSec Risks: CVSS, EPSS, and Too Much Data https://www.youtube.com/watch?v=gxZ1Twa35Po

• 2023-11-17 What the heck is: Vulnerability Management in CMMC? https://www.totem.tech/vulnerability-management-for-cmmc/

• 2023-12-18 Will Putting a Dollar Value on Vulnerabilities Help Prioritize Them? https://www.darkreading.com/application-security/putting-dollar-value-vulnerabilities-prioritize

• 2024-01-25 From Millions to Minimal Risks via SSVC-based Risk Prioritization https://www.youtube.com/watch?v=VSNL8Eq1yXY

• (undated) SanerNow claims "Prioritizes vulnerabilities based on risks, exploitability level, and high-fidelity attack mapping using the world's first SSVC-based framework." https://www.secpod.com/sanernow-vs-manageengine/

[ahouseholder]

2024-02-14 Applying Vulnerability Intelligence to CVSS and SSVC Frameworks https://www.youtube.com/watch?v=Gn1t7ljdSH0

2024-02-15 No More Business As Usual: Vulnerability Management Focused On Managing Risk https://www.spiceworks.com/it-security/vulnerability-management/guest-article/best-vulnerability-management-practices/

2024-02-24 5 Things to Consider Before Using SSVC Vulnerability Prioritization Framework https://nucleussec.com/blog/5-things-to-consider-before-using-ssvc-to-automate-vulnerability-prioritization/

[ahouseholder]

2024-02-15 The SSVC risk prioritization method: what it is, when to use it, and alternatives https://vulcan.io/blog/the-ssvc-risk-prioritization-method-what-it-is-when-to-use-it-and-alternatives/

[tdsnoke]

11-16-2022 Using ssvc decision trees intelligence-led vulnerability management https://nucleussec.com/blog/ssvc-decision-trees-intelligence-led-vulnerability-management

[sei-vsarvepalli]

Yotam Perkal talk on SSVC
https://www.first.org/resources/papers/vulncon2024/VulnCon-Why-Can-t-We-All-Just-Get-Along.pdf

[sei-vsarvepalli]

Pinochle.AI
https://www.linkedin.com/pulse/stakeholder-specific-vulnerability-categorization-ssvc

Silk Security blog
https://www.linkedin.com/pulse/taking-next-steps-vulnerability-risk-ssvc-silk-security-mpbse

[ahouseholder]

2024-03: Risk Based Prioritization https://riskbasedprioritization.github.io/ uses a customized SSVC derived from CISA's implementation that incorporates threat feeds and other operational data in improving vulnerability response decisions.

[ahouseholder]

2024-05-09: CISA Vulnrichment adds SSVC decision point info from CISA analysts to CVE data as an ADP provider.

On github:

• https://github.com/cisagov/vulnrichment

Media coverage:

• https://www.securityweek.com/cisa-announces-cve-enrichment-project-vulnrichment/
• https://www.helpnetsecurity.com/2024/05/09/cisa-vulnrichment-cve-enrichment/
• https://www.infosecurity-magazine.com/news/cisa-launches-vulnrichment-program/