Traditional vulnerability assessment falls short on third-party risks

No Comments

As organizations increasingly rely on third-party vendors, open-source components, and cloud services to bolster efficiency and scalability, they also open themselves to risks.

Historically they've relied on CVSS scores to measure the severity of risks, but a new report from Black Kite suggests that this method alone is not enough.

"Focusing solely on Common Vulnerability Scoring System (CVSS) scores is insufficient for risk management," says Ferhat Dikbiyik, chief research and intelligence officer at Black Kite. "CVSS is not a prioritization tool and cannot inform security teams whether a vulnerability is being exploited or the likelihood it will be weaponized. Further exacerbating the challenges, security teams are overwhelmed by the sheer number of vulnerabilities to address and track, while most exploited vulnerabilities slip past traditional risk assessments as they fall in the medium or low range. In today's environment, organizations need to understand how vulnerabilities can propagate through the ecosystem. They must rethink their vulnerability management strategy to include exploitability, vendor exposure, and supply chain risk."

The report finds that many of 2024's most exploited vulnerabilities were present in widely used third-party software rather than internally developed applications, with high-profile vulnerabilities in MOVEit, Fortra GoAnywhere, and Ivanti products demonstrating how supply chain risks can spread.

A significant portion of vulnerabilities have been weaponized within days of their disclosure, reinforcing the need for rapid risk assessment and response. Additionally, ransomware groups increasingly leverage known exploited vulnerabilities (KEVs) to maximize impact.

Vulnerabilities affecting major software vendors such as Microsoft, Cisco, and VMware have far-reaching consequences too, as they are embedded in countless enterprise environments. The interconnected nature of digital supply chains magnifies the potential damage.

You can get the full report on the Black Kite site.

Image credit: Weerapat Wattanapichayakul/dreamstime.com

No Comments
Got News? Contact Us

Recent Headlines

Microsoft brings a new text extraction tool to Windows 11

Google is changing the URL of its search engine for billions of people

How agentic AI takes GenAI to the next level [Q&A]

Enhancing data security in an AI-driven era 

Ditch Windows 11 and switch to Fedora Linux 42

Sling upgrades DVR, damages usability 

Stylish Windows 11 replacement Nitrux is about to solve a big app headache for users

Most Commented Stories

Windows 25 solves Windows 11's biggest problem -- download it now

67 Comments

Linux Mint Debian Edition 7 gets OEM support -- does that signal the impending death of Ubuntu-based Mint?

36 Comments

Forget Windows 11 -- ReactOS, the Microsoft-free Windows operating system, just got a massive update! Download it now

19 Comments

Windows 11 finally gets a proper Start menu with this Quantum upgrade -- install it now

15 Comments

Forget Windows 11 and try AerynOS instead -- this new Linux distro just got a fresh ISO and powerful updates

12 Comments

Microsoft launches new Windows 11 roadmap page so you can see what it has planned for the operating system

9 Comments

Say goodbye to Microsoft Windows 11 and hello to Nitrux Linux 3.9.1

9 Comments

Elon Musk merges xAI with X to distract from Twitter debt disaster and Donald Trump backlash

9 Comments

© 1998-2025 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.