According to a report by Rezilion, many organizations are inefficiently using their resources to eliminate irrelevant vulnerabilities. The report reveals that organizations are only able to eliminate 10% of total vulnerabilities, with only 5% of errors being addressed.
Rezilion focuses on the Exploitability Probability Prediction Score (EPPS) model, which helps determine the probability and severity of specific vulnerabilities. This model uses information about common vulnerabilities and exposures (CVE) in combination with real operations to form a rating.
During their study, Rezilion discovered over 30 actively exploited vulnerabilities with high EPPS ratings that were not included in the database of known exploited vulnerabilities (KEV) maintained by CISA.
A representative from Rezilion expressed concern about the current reliance on the Common Vulnerability Scoring System (CVSS) by organizations. While CVSS reveals the potential danger of a vulnerability, it does not provide a realistic assessment of the probability of exploitation.
This approach results in organizations spending limited resources on fixing vulnerabilities that are unlikely to be exploited. To address this issue, Rezilion suggests using a combined approach that incorporates CVSS, KEV, and EPPS systems with real-time checks to prioritize vulnerabilities more effectively.
The current vulnerability assessment system creates a gap between IT specialists and application developers. Developers often lack the time and resources to address all reported vulnerabilities, leading to neglected security notifications. Rezilion proposes the use of simple mathematical methods for risk assessment to bridge this gap.