uses cookies to make interactions with the Company’s Websites easy and meaningful. When you visit one of the Company’s Websites,’s servers send a cookie to your computer. Standing alone, cookies do not personally identify you; they merely recognize your Web browser. Unless you choose to identify yourself to, either by responding to a promotional offer, opening an account, or filling out a Web form (such as a “Contact Us” or a “Free Trial” Web form), you remain anonymous to the Company. Please go to our privacy statement for details.


Counting Vulnerabilities. Assessing Threats. Frictionless Remediation

A couple of days ago I read an interesting article in the Tenable Network Security Blog — here — where the author was arguing that the number of security vulnerabilities detected in a network is not a good indicator of risk that the network itself is facing against motivated attackers and malware.

In the above-mentioned blog post, the author states “Telling an organization that they have 10,324 vulnerabilities, whilst shocking, doesn’t convey the actual risks faced”.

I totally subscribe with this view since the number of vulnerabilities is not an indication of the security risk faced by the organization. Otherwise, most of the organization that use NopSec solution Unified VRM would be doomed and destined to compromise since at the beginning they have hundreds of thousands of unique and critical security vulnerabilities.

The Tenable blog post author goes on to mention several reasons why just the total number of vulnerabilities is not a sufficient statistics to convey the security risk an organization might face. Those include:

  • A total count without any context does not convey how many devices were scanned;
  • A total count does not take the criticality of the vulnerabilities into consideration;
  • There is no consideration on how critical the vulnerable assets are to the business;
  • There is no consideration on the type of scan performed, including credentialed scan, which might generate a huge number of vulnerabilities;
  • A growing number of vulnerability could demotivate IT Security and IT Operations as if they were trying to climb an insurmountable task.

In recommending other additional metrics to improve the efficiency and effectiveness of vulnerability management, the article author recommends to consider:

  • the average patch rate – meaning how long does it take to deploy application or operating system security fixes;
  • What is the scan coverage – meaning the percentage of assets not covered by the vulnerability scan;

Then the author goes on to recommend to prioritize vulnerabilities by CVSS base and temporal score. And that where my opinion differs from the article’s author.

It has been widely demonstrated that the CVSS score is not a sufficient metric to judge the risk an organization is facing due to a vulnerability, for the following reason:

  1. Most of the people use the provided CVSS base score, that does include any consideration for exploitability or value of the asset;
  2. The business impact of a compromise for a certain vulnerability is not included in the CVSS base score calculation;
  3. Correlation between the vulnerability and the availability of public exploits is not considered as part of the score calculation;
  4. Actual threats, targeted attacks and malware actively using the detected vulnerabilities are not included in the risk calculation;
  5. The risk calculation does not include any indication of the vulnerability popularity in the social media.

In Unified VRM the above-mentioned risk components are included in the risk calculation, including:

  • the CVSS base score;
  • the business impact of breach on the asset data;
  • the exploitability of the vulnerability through publicly available exploits;
  • the presence of active malware and attacks using the detected vulnerability;
  • the popularity of the vulnerability in social media.
  • Through all these components the prioritization of vulnerability risk can be resurfaced and remediation efforts targeted.

On top of this, Unified VRM Expert Engine verifies and re-prioritizes vulnerabilities based on an expert penetration testers’ knowledge base.

To put into perspective, NopSec has customers with hundreds of thousands of critical vulnerabilities detected. Which ones should be remediated first? Unified VRM structures that prioritization process for the customer so that they can focus on what matter the most, that is critical vulnerabilities on critical infrastructure and application assets, with available public exploits used by active actors and active malware, and with relevance in social media conversations.

All these risk prioritization is pre-canned on the Unified VRM product, so that organizations could focus on what matters the most: their business.

stack of reports

Schedule a Product Demo Today!

See how NopSec's security insights and cyber threat exposure management platform can organize your security chaos.