Episode 47

The Pitfalls of Risk Scoring

Having one value to summarize risk posture is handy, but not without its caveats. For starters, predictive analyses founded on your risk score are strictly limited by the quality and subjectivity of the data that define it (unless you can see the future), leaving room for skewed prognoses. There's also the fact that a risk score doesn't account for important factors like whether CVEs have actually been exploited, or whether they can actually be remediated in the first place. And lastly, a truth that bears repeating: risk scores are very specifically context-dependent, and more often than not, don't accurately translate between processes, business units or organizations.

Resources

Further listening

Understanding AppSec Part 3: Testing Your Code – DAST, Pentesting and Red Teaming

Episode 80

Understanding AppSec Part 2: Getting Your Code to the Cloud – IAC, Container Security, CSPM

Episode 79

Understanding AppSec Part 1: Securing Your Code – SCA and SAST

Episode 78

Scaling AppSec to Secure the Smallest Doors and the Biggest Buildings

Subscribe for updates

Thank you! Your submission has been received!

Oops! Something went wrong while submitting the form.

Thank you! Your submission has been received!

Oops! Something went wrong while submitting the form.

By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

Preferences