[[_TOC_]] ### Release notes Efficiently prioritize risk across your dependency and container image vulnerabilities using EPSS, KEV and CVSS. Those will be shown in the Vulnerability Report and in the Vulnerability Details page ### Problem to solve Engineering and Security teams are overwhelmed by the number of vulnerabilities they need to remediate (half of organizations remediate less than 16% of their known vulnerabilities monthly). As an Engineer, I want to be able to understand the likelihood that critical vulnerabilities in my organization's code could be exploited, so that I can prioritize remediating the riskiest vulnerabilities first. CVSS scores assess the severity associated with a vulnerability, and severity scores provide some context--but teams need additional context to properly prioritize which vulnerabilities need to be remediated first. ### What is EPSS? [Exploit Prediction Scoring System (EPSS)](https://www.first.org/epss/) is an open effort that aims to estimate the probability of a software vulnerability being exploited in the wild in the next 30 days. The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited. EPSS scores are created for all CVEs in a published state. EPSS is calculated using machine learning and includes data sources that include the MITRE CVE List, NVD (National Vulnerability Database), and various threat intelligence feeds such as Metasploit and ExploitDB. Research by Kenna Security, now Cisco, ([Kenna.pdf](/uploads/7276571c52193e6954d3d557d50d0515/Kenna.pdf)) has shown that EPSS is the most effective way to prioritize vulnerabilities for remediation. [EPSS has been adopted by over 38 commercial software products (as of October 2023) including several SCA vendor](https://www.first.org/epss/who_is_using)s. ### Proposal Incorporate [EPSS](https://www.first.org/epss/) scores for all dependency scanning and container scanning findings. ### Scope Integrate Rezilion's support for EPSS into the ~"group::composition analysis" product. #### MVC * EPSS v3 is used (unless a newer version has been released/verified) * User can call the GraphQL API and view EPSS data in the response payload. #### Post-MVC * Vulnerability Report filters for EPSS, CVSS, KEV * https://gitlab.com/gitlab-org/gitlab/-/issues/511283+s * https://gitlab.com/gitlab-org/gitlab/-/issues/511284+s * https://gitlab.com/gitlab-org/gitlab/-/issues/511285+s * https://gitlab.com/gitlab-org/gitlab/-/issues/511286+s * https://gitlab.com/gitlab-org/gitlab/-/issues/511287+s * https://gitlab.com/gitlab-org/gitlab/-/issues/511288+s #### General Availability * Customers can view an EPSS score for every dependency scanning result on the specific vulnerability page * Customers can view an EPSS score for every container scanning result on the specific vulnerability page #### Work extending outside of Composition Analysis team * Customers can filter the Vulnerability Report by EPSS score * Customers can create security policies based on EPSS score #### Won't Have ### Materials - [Enhancing Vulnerability Prioritization: Data-Driven Exploit Predictions with Community-Driven Insights](https://arxiv.org/pdf/2302.14172.pdf) (EPSS v3 paper) - [The EPSS Model](https://www.first.org/epss/model) - [Open-source EPSS tools](https://www.first.org/epss/epss_tools) - presentation of EPSS https://nucleussec.com/webinar/a-deep-dive-into-the-exploit-prediction-scoring-system-epss-recording/ - [Exploit Prediction Scoring System: What's New & Improved with EPSS version 3 ](https://www.youtube.com/watch?v=L_THv-IplIQ)presentation by Cyentia Institute ### Intended users Personas are described at https://about.gitlab.com/handbook/product/personas/ * [Delaney (Development Team Lead)](https://about.gitlab.com/handbook/product/personas/#delaney-development-team-lead) * [Amy (Application Security Engineer)](https://about.gitlab.com/handbook/product/personas/#amy-application-security-engineer) * [Alex (Security Operations Engineer)](https://about.gitlab.com/handbook/product/personas/#alex-security-operations-engineer) _This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc._