Resilient Cyber
Resilient Cyber
S3E18: Jacques Chester - Vulnerability Scoring and Software Supply Chain

S3E18: Jacques Chester - Vulnerability Scoring and Software Supply Chain

Chris: For those not familiar with CVSS, what exactly is it, and why is vulnerability scoring important?

Chris: What are some of the most notable critiques of CVSS?

Nikki: I read your article 'A Closer look at CVSS Scores" and have had a lot of similar thoughts. The CVSS SIG is doing great work, and there are other scoring methods out there to help determine the real threat of vulnerabilities. Do you have any advice for organizations that are struggling with the amount of High and Critical vulnerabilities they see based on this scoring method? 

Chris: Do you think organizations approaching Vulnerability Management using CVSS strictly from base scores is an effective approach?

Nikki:  Do you think that the industry needs a shift as far as vulnerability scoring systems? Not from a mathematical or quantification space, because we have some great people working on that. But from the understanding of how those vulnerabilities actually impact their businesses? 

Nikki: Where do you see vulnerability scoring and vulnerability management activities heading? Do you think we need some other methods for scoring insider threat and accumulating those scores with hardware and software vulnerabilities?

Chris: Pivoting a bit from vulnerability scoring, I know you're also involved with groups such as OpenSSF. Can you tell us a bit about that work?

Chris: What are your thoughts on Software Supply Chain Security more broadly, in terms of SBOM's, VEX, and the uptick in Software Supply Chain Attacks. Do you think we're trending in the right direction to respond to the rise in these attacks?