• CramHacks
  • Posts
  • [CramHacks] Newsletter #15: Vulnerability Impact Scoring System (VISS)

[CramHacks] Newsletter #15: Vulnerability Impact Scoring System (VISS)

CramHacks Chronicles: Key Insights On Software Supply Chain Risks

🥳 Happy Monday! 🥳

Happy Holidays everyone!!!

Software Supply Chain Security

The Vulnerability Impact Scoring System (VISS) is an adaptable framework developed by Zoom for assessing the impact of security vulnerabilities in technology infrastructures, evaluating 13 distinct aspects across platform, infrastructure, and data, and producing a score from 0 to 100, represented as a vector string.

CISA’s Cybersecurity Advisory addresses the exploitation of CVE-2023-26360 in Adobe ColdFusion, highlighting unauthorized access to Federal Civilian Executive Branch servers using the unsupported ColdFusion version 2016 on a public-facing web server.

Steve Springett reflects on Dependency Track’s history as the project celebrates its 10th anniversary! Today, over 10,000 organizations use it to track software and hardware inventories while identifying associated risks.

👋 If you’re shocked to hear it’s been ten years… Steve notes that before 2018, less than ten organizations were likely using Dependency Track. The project was way before its time, and it’s great to see it scaling with the increasing demand for supply chain security oversight.

Cycode commissioned an independent, vendor-agnostic survey of 500 US security professionals (200 CISOs, 200 AppSec Directors, and 100 DevSecOps Directors). Ungated link

🌶️ Just looking at tool sprawl (Insight #3), the results say the average number of security tools was 49. With an application security team of 4-5, the tool count was 47. I’m not saying this doesn’t happen, but it shouldn’t happen…

Insight #10 is super misleading or doesn’t make any sense.

  • “90% would Consider Consolidating All of Their AppSec Tools Into a Single Platform Over the Next 12 Months.”

  • Yet 92% responded “yes” to “Do You Have Plans to Consolidate Your Security Tool Stack to 1 Platform Over the Next 12 Months?”

What the heck is the difference here, or how do 92% plan to do it, but only 90% would consider doing it? 🤯 

Stephan Miehe provides insight into how GitHub processed over 150 million findings since the Security Findings initiative was introduced last year. At its core, findings came from bug bounty, GitHub Advanced Security, and Grype, which are then seamlessly ingested and standardized.

👋 OpenSSF had a killer year; a quick summary won’t do it justice. Take a look at the highlights & full report (ungated)!

Until Next Time! 👋 

Hey, you made it to the bottom – thanks for sticking around!

Questions, ideas, or want to chat? Slide into my inbox! 💌

Don’t hesitate to forward if someone could benefit from this.

See you next Monday!