In the world of secure development, software dependencies build a significant portion of our codebase, which means there is a high likelihood of our applications inheriting their vulnerabilities. Nowadays, it is almost impossible to find a library without an associated CVE (Common Vulnerabilities and Exposures), making library management crucial. It’s no wonder that “Outdated and Vulnerable Components” has become one of the top risks for applications, according to the OWASP Top 10.
The risk of using vulnerable components has become increasingly common, as highlighted by the OWASP Top 10.
To face this scenario, we integrated SCA (Software Composition Analysis) tools into our pipelines to scan our code and understand which libraries are being used and their vulnerabilities. But what is the real risk linked to these vulnerabilities? In this blogpost, we will explore what EPSS is, how it works, its importance and how it can help you make decisions when used in conjunction with your SCA tool.
What is EPSS?
The Exploit Prediction Scoring System (EPSS) is a metric introduced at the 2019 Black Hat conference and is now widely used in SCA tools. This metric estimates the likelihood that a vulnerability will be exploited in real-world attacks within the next 30 days. Unlike other risk assessment metrics, EPSS focuses not just on the severity of a vulnerability but on the likelihood of its exploitation by attackers.
Developed by the FIRST (Forum of Incident Response and Security Teams), EPSS employs statistical models and machine learning to analyze data and predict exploitation probabilities. It assigns a score from 0 to 1 (or 0% to 100%) to each vulnerability, indicating how likely it is to be exploited soon.
How Does EPSS Work?
EPSS uses a variety of data and techniques to make predictions. Some of the factors considered include:
• Vulnerability Lifetime
• CVSS Score calculation
• Presence in known references (e.g., CISA KEV, Google Project Zero, Trend Micro’s Zero Day Initiative (ZDI)
• Publicly available exploits (e.g., Exploit-DB, GitHub, MetaSploit)
• Verification via offensive security tools (e.g., Intrigue, sn1per, jaeles, nuclei)
Other factors also contribute to EPSS calculations. For a complete list of collected data, visit https://www.first.org/epss/model. Using these inputs, statistical and machine learning techniques generate scores updated every 24 hours for each vulnerability, indicating the likelihood of exploitation.
Why is EPSS Important?
In secure software development, AppSec and development teams manage numerous library vulnerabilities daily. According to the CVE.ICU project, an average of 110 new CVEs are published each day.
Reference: https://cve.icu/CVE2024.html#cve-per-day-graph
Fixing all CVEs immediately is often impractical, making EPSS vital. It helps teams focus their efforts on vulnerabilities most likely to be exploited.
Implementing EPSS in Your Organization
To leverage EPSS, organizations should:
1. Integrate EPSS into vulnerability management systems: Use SCA tools supporting EPSS, such as the Conviso Platform’s SCA tool. For organizations with limited budgets, open-source tools like Dependabot EPSS Action can be considered.
Dependabot with EPSS in the pipeline
Dependabot results with EPSS in the pipeline
2. Prioritize vulnerabilities based on EPSS: Use EPSS scores to determine which vulnerabilities require immediate attention. Conviso Platform’s funnel dashboard, for example, offers a prioritization view not only based on EPSS but also considering asset classification (e.g., internet exposure, business impact, PII/PCI data presence), providing a clearer risk assessment for your organization.
View of the Conviso Platform vulnerability funnel
3. Train teams on EPSS usage: The security team must be able to understand and apply the EPSS methodology effectively, knowing when and how to prioritize the listed vulnerabilities. The table below shows a vulnerability prioritization study according to the relationship between EPSS and CVSS.
Table shows the prioritization of vulnerabilities according to the EPSS x CVSS relationship
Conclusion
Among discussions about the actual risk posed by vulnerabilities identified by SCA tools, EPSS offers a way to prioritize vulnerabilities that genuinely threaten organizations. By considering metrics like CVSS and EPSS alongside proper asset classification, teams gain a realistic view of environmental risks, leading to more effective vulnerability management decisions.
Advantages include:
• Efficient Prioritization: Reduces time and resources spent on low-risk vulnerabilities.
• Better Resource Utilization: Directs security teams to address critical and urgent issues.
• Enhanced Proactive Security: Identifies threats before active exploitation occurs.