Vulnerabilities that exist in the cloud-native components such as container images can be detected using open-source tools such as Grype, Trivy, among others. Also, Kubernetes announced an alpha version of the vulnerabilities feed.
Remediation efforts like patching servers for vulnerabilities identified in Cloud Native environments are often resource-intensive. IT Administrators often need risk-based scoring mechanisms to prioritize the efforts. Considering raw vulnerability score alone without considering the Asset context or organization context is not really an optimum way of prioritizing the vulnerabilities. In fact, research has shown that it is counter-productive in managing the risk.
Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities. CVSS consists of three metric groups: Base, Temporal, and Environmental. These parameters are related to the vulnerability characteristics so at most CVSS score is a vulnerability score but not a risk score. A mere presence of a vulnerability does not mean risk. For example, a CVSSv3 score of 9.8 considered extremely critical but found on a Windows Server that does have minimal customer data versus CVSSv3 score of 7 considered moderate severity but found on a Database server that contains most of your customer data. What if one CVE (Common Vulnerabilities and Exposures) has a known exploit and other does not have? What if Windows Server is facing the Internet, whereas Database server is behind a VPN?
The Exploit Prediction Scoring System (EPSS) is an open, data-driven effort for estimating the likelihood (probability) that a software vulnerability will be exploited in the wild. This score may at best determine the future likelihood of a threat occurrence and still does not consider asset and organization context for qualifying as a risk score.
Social Media Intelligence
Social Media Intelligence based tools such CVE Trends depend on twitter-based metrics to identify the trending vulnerabilities. While it is useful to learn about the popular vulnerabilities that are trending. This metric still lacks your asset and organization context like CVSS.
To prioritize the vulnerabilities identified below contextual risk factors should be considered.
A risk score should be computed for each vulnerability using the below factors.
How To Prioritize
Standardized scores such as CVSS, EPSS or for that matter social media intelligence (such as twitter trends) are not really risk based scoring techniques. A risk scoring mechanism should consider the above contextual risk factors to get better return on investments for available resources.