Prioritization Approach for Vulnerability Findings *

Triaging plays a major role in determining which vulnerabilities to fix first. My prioritization approach includes:

• Calculating risk based on exploitability and impact.
• Checking CISA KEV to identify if the vulnerability is listed as a Known Exploited Vulnerability.
• Assessing the threat actor vector (how it can be exploited) and attack surface (whether it's externally reachable or requires prior/insider access).
• Considering CVSS and EPSS scores, with higher weight given to EPSS for likelihood-based prioritization.

Additional Recommendation:Develop an integration tool that aggregates results from multiple SAST and SCA tools, automatically correlates them with threat intelligence sources, and enriches vulnerability ratings based on KEV, EPSS, and contextual risk factors. (#SARIF #KEV #EPSS #Python #Dashboard)