This month our data scientist Michael Roytman is featured in the USENIX Association’s Journal alongside Dan Geer. Their article harkens back to our long-running theme of focusing on remediating the vulnerabilities which _actually_ generate risk for your environment. Michael and Dan argue that using CVSS as a guide for remediation is not only ineffective at identifying vulnerabilities likely to be exploited, it is also a less cost-efficient way to run a security practice.
To quote from the article…
“Using CVSS to steer remediation is nuts, ineffective, deeply
diseconomic, and knee jerk; given the availability of data it is also
passé, which we will now demonstrate.”
Take a look at the article for yourself: https://www.usenix.org/system/files/login/articles/14_geer-online_0.pdf