Various people in different roles are involved in handling security issues, vulnerabilities, one way or the other. Security engineers, system admins, SRES, developers, their managers and probably even more people are involved in the process.
We tried to summarize a few example use cases below but these are only a small sub-set of the actual problem space and potential use cases are not limited to these cases.
Let's consider a typical "security scan" use case:
- A security person runs a scan targeting 50 systems used by 20 different projects in a company
- The scan generates hundreds of findings, with short and generic issue descriptions and recommendations
- The security person assigns tasks to 30 different people, asking them to review and fix
- 30 people start reviewing and trying to make sense of scan results (as quickly as possible because this is not their primary job)
- 15 out of 30 assignees quietly assume the findings are correct and try to fix them, some of which lead to unexpected results
- 10 assignees get back to the security person asking for more detailed issue explanations
- 5 of the assignees claim the issues are invalid.
- Now the security person needs to provide more details to some, convince some others to fix and ensure that the ones claiming the issues are false positives are not wrong
The above scenario should sound familiar to most people working in security, IT or software development. It is an inefficient and time consuming process. Some issues get fixed although they could have been ignored, some issues get ignored although they were critical, some issues take too long to fix leading to poor security.
Problems in the above process
- Scanner outputs usually contain short, generic issue descriptions
- Every person reading the issue description tries to make sense of it separately. They usually google and get lost in noise, eventually making a bad decision or giving up at some point.
How can CVEdetails.com help?
- Easy access to better information: They can just go to https://www.cvedetails.com/cve/CVE-2023-4863/
and immediately see that the CVE is in CISA KEV catalog, EPSS score for the CVE, custom risk score for the CVE, CVSS scores, references with brief summaries
and list of products and versions affected by the CVE.
If they have an active subscription they can also view CVE timeline, data mentioning CVE-2023-4863 and much more. They can add notes to the CVE to keep track of what has been done, add labels to the CVE (e.g "TODO").
- Consistency: All users will have access to the same information. You will not be relying on Googling skills of individual users.
- Eliminate Google: Users will not need to Google. They will all have access to the same information, in the same way.
- Automation and integrations: Using APIs provided by CVEdetails, you can integrate data from CVEdetails into your existing processes/systems, e.g Jira, so that your users will not even need to use another tool.
Staying up to date on new issues and updates
As a security practitioner we need to stay up to date on new developments, new issues and updates. We try to follow people on social media, subscribe to RSS feeds, email lists, vendor feeds, check new CVEs daily etc. All of these are manual and time consuming tasks which most security practitioners don't have time for.
For example we cannot start the day by checking 20 RSS feeds, 10 email lists, checking new CVEs, EPSS score changes with respect to yesterday etc. It is simply not practical.
How can CVEdetails.com help?
We will collect everything you need to know for you. You will be saving time and also not missing important news using CVEdetails.com.
As an organization, let's assume you have 4 employees spending 30 minutes on this problem separately everyday. You would be wasting 2 person hours everyday, so instead of 4, in practice you have 3.75 personnel, because 2 hours is wasted due to this problem everyday. Assuming 1 personnel costs 100K/year on average, 2 hours lost everyday (just due to this problem) is already costing the organization 25K/year. Even without taking into account the negative impact on security, not providing users with the necessary tools costs more than doing so.