On November 17, I joined the three hosts of the Down the Security Rabbithole (DtSR) podcast to talk about CVSS, CVE, and how they play into risk and defending networks. My time followed Robert “RSnake” Hansen’s podcast where he had a pretty controversial take on risk management. One of the hosts, Rafal Los, asked my thoughts and after I listened I shared enough to prompt him to ask me to do the next. So, here is one of my rare podcast appearances!
The hosts, Rafal Los, James Jardine, and Jim Tiller asked questions around the CVE program, using CVSS to calculate risk, and my take on Hansen’s take. While we largely agree and I respect Hansen’s approach, I took a bit of exception to some of the building blocks that led to his stance. So I talked a fair amount about Known Exploited Vulnerabilities (KEV) which was a core part of his take. The big takeaway from my time on the topic is that KEV is a much bigger moving target than many realize. The numbers I threw out I think helped establish just how big of a gap there is, depending on the source of vulnerability intelligence you use.
I appreciated the chance to share on the podcast, and it was great catching up a bit with Rafal and Jim, both of whom I have known for a good while. Jim a lot longer as we realized it was probably 2002 or so since we last crossed paths. Anyway, if you are interested in the topic have a listen! Feel free to share your feedback here or on LinkedIn and call me out if you feel I was wrong about anything. =)
Leave a Reply