How do you find vulnerabilities? For most, the process starts and stops with a scanner, then we work through the High and Critical findings, rinse and repeat. What if I told you attackers don't care about those vulnerabilities? Imagine a world where we unlocked omniscience. A world where we knew exactly which one of those critical flaws an attacker would use. In this world should we bother to patch the others, and if we did, would it make a difference? That hypothetical world is here and we 're living it every day.
Vulnerabilities are not limited to software bugs and most risks are built-in features. Let's dive into a seven phase Vulnerability Assessment Methodology that ends with a true identification of organizational risk that goes far beyond the CVSS score.