Nikki - We have to talk about CVSS 4.0 - what do you think of the preview and what should anyone who's unfamiliar with the updated version be aware of?
Nikki - I have to ask - do you think CVSS 4.0 will help based on the Exploitability Vector - or will it be somewhat confusing to try to parse the new CVSS metrics with EPSS and then compare to the CISA KEV?
Chris - I have been digging into vulnerability metrics quite a bit and I know we've seen an exponential increase in CVE's in the NVD over the last several years, and some studies show organizations have a backlog of 100,000 vulnerabilities, is this an intractable problem?
Nikki - You posted an interesting metric a few months ago on linked in - at the time, there were roughly ~7k vulnerabilities released in 2023 to date and an average of 77 CVE's per day. No one can fix every vulnerability at this point. I think a lot about mitigating controls and focusing more on those versus trying to remediate everything. What are your thoughts on remediation versus mitigation?
Chris - We've talked a lot about managing vulnerabilities and remediation but there's been a resurgence of leaders calling for "secure-by-default/design" software and "building it in versus bolting it on". Why do you think we continue to see the significant growth in vulnerable software and do you think it is a direction that will ever change?
Chris - I'm curious your thoughts around the growth of OSS adoption and vulnerabilities associated with OSS components and libraries, along with other risks such as lack of maintenance and updates, along with SBOM's too. What's your take on the recent discussions around software supply chain security?
Nikki - The stats for the amount of vulnerabilities that any organization has in their environment, the backlog of vulnerabilities, is insurmountable. What do you think about the human component in all of this? I can imagine there is a lot of burnout, stress, and frustration just around patch management activities amongst teams. How can we help the people who manage vulnerabilities and try to patch all the things?
Nikki - What does cyber resiliency mean to you?
