The Exploit Prediction Scoring System (EPSS) provides efficient, data-driven vulnerability management data that uses current threat information from CVE and real-world exploit that helps understand the probability that a vulnerability will be exploited.
This talk will discuss the EPSS model in-depth and demonstrate how to implement EPSS for CI/CD pipelines and more traditional operating systems and application patching.
date 2025-01-12 22:00:17
views 60
author UCpT8Ll0b9ZLj1DeEQQz7f0A
source
Here’s a 300-word summary of the transcript:
Jerry Gamblin, a vulnerability enthusiast and expert, gave a talk at DEF CON 32 on using the Exploit Prediction Scoring System (EPSS) for better vulnerability management. EPSS is a data-driven system that estimates the likelihood of a vulnerability being exploited in the next 30 days. Jerry explained that with over 110 CVEs published daily, it’s crucial for organizations to prioritize their patching efforts. He highlighted that many organizations misuse the CVE scoring system, which is not designed to determine what to patch. Instead, EPSS provides a more accurate scoring system.
Jerry introduced PatchThis.A, a website that provides a list of known vouchers on an organization’s network, making it easier to prioritize patching efforts. He also emphasized the importance of removing all known exploited vulnerabilities from a network before using EPSS.
Jerry discussed the limitations of EPSS, noting that it’s primarily designed for network-based attacks and may not be suitable for IoT or healthcare networks. He emphasized the need for organizations to understand their unique network environment and adjust EPSS accordingly.
The transcript also touched on the deployment pipelines for EPSS, highlighting its integration with major code repositories like GitHub and GitLab. Jerry encouraged developers to enable EPSS in their workflows to get real-time vulnerability scoring and prioritization.
Overall, Jerry’s talk emphasized the importance of using EPSS in vulnerability management, emphasizing that the system is designed to provide actionable insights for organizations to prioritize their patching efforts effectively.
