Prioritizing threat/vulnerability findings takes thought, a satellite cam, and a microscope if you don't have an AppSecOps platform at work. There's a lot to consider: criticality variance across tools (they don't come normalized out of the box), threat intelligence on CVEs, and tool/technique weight factors for starters. A major concept is the context around the app/sub-app/module associated with a finding. The software's dependencies, environment, provenance, and the sensitivity of its data are just a few values that affect priority.
Factors in Prioritization
October 27, 2022