Episode 24

Threat intelligence is nothing new, but in the case that leveraging it to improve your application security operations is a novel prospect, we're here to break the ice. Like most things in security, it starts with a few acronyms: NVD (the National Vulnerability Database), which provides a threat feed of CVEs and their corresponding CVSS severity score; and CISA's KEV (Known Exploited Vulnerabilities catalog), offering a more "IRL" picture of application risks. AppSec program builders needing more context than these open source databases provide have the option to go the paid route—recruiting a vendor's help in determining which exploited vulns pose a legitimate threat to their org, and how best to prioritize them.