Skip to content

Preface

I embarked on this journey because, as a Product Security engineer, my role is to enable the flow of value to our customers by helping deliver high quality software efficiently and securely.

A large part of that was to be able to prioritize the ever increasing number of published vulnerabilities (CVEs) by Real Risk.

Lots of dumb questions and data analysis later, and experience deploying Risk Based Prioritization at scale in production, this guide represents the distillation of that knowledge into a user-centric system view - what I wish I knew before I started - and learnt by interacting with other users, standards groups, and tool vendors.

The Risk Based Prioritization described in this guide significantly reduces the

  • cost of vulnerability management
  • risk by reducing the time adversaries have access to vulnerable systems they are trying to exploit

🙏 Special thanks to

  1. My family - who give life to living ❤
  2. My employer Yahoo for cultivating such a rich environment for people to thrive.
  3. My colleague Lisa for the expert input, keeping all this real, and tolerating more dumb questions than any human should endure in one lifetime!
  4. The friendly vibrant community in this space - many of whom have contributed content to this guide.

Chris Madden