Deployed b01361e with MkDocs version: 1.5.3

Author: Crashedmind

print_page/index.html

@@ -2223,7 +2223,7 @@ <h2 id="risk-vulnerability_landscape-key-risk-factor-standards">Key <abbr title=
 <p class="admonition-title"><abbr title="CVE Common Vulnerability and Exposures. A standardized list of publicly known vulnerabilities and exposures maintained by the MITRE Corporation.">CVE</abbr> - <abbr title="CWE Common Weakness Enumeration">CWE</abbr> - Technical Impact</p>
 <ol>
 <li>A <abbr title="CVE Common Vulnerability and Exposures. A standardized list of publicly known vulnerabilities and exposures maintained by the MITRE Corporation.">CVE</abbr> may have zero or more CWEs associated with it e.g. Log4Shell <abbr title="CVE Common Vulnerability and Exposures. A standardized list of publicly known vulnerabilities and exposures maintained by the MITRE Corporation.">CVE</abbr>-2021-44228 has 4 CWEs</li>
-<li>A <abbr title="CWE Common Weakness Enumeration">CWE</abbr> may have zero or more Common Consequences/Technical Impacts associated with it e.g. Log4Shell <abbr title="CVE Common Vulnerability and Exposures. A standardized list of publicly known vulnerabilities and exposures maintained by the MITRE Corporation.">CVE</abbr>-2021-44228 has 2</li>
+<li>A <abbr title="CWE Common Weakness Enumeration">CWE</abbr> may have zero or more Common Consequences/Technical Impacts associated with it e.g. <a href="#risk-log4shell-mitre-cwe-917">Log4Shell <abbr title="CWE Common Weakness Enumeration">CWE</abbr>-917</a> has 2.</li>
 <li>A <abbr title="CWE Common Weakness Enumeration">CWE</abbr> may be associated with zero or more CVEs.</li>
 </ol>
 <p>To understand MITRE <a href="https://capec.mitre.org/">CAPEC</a> vs MITRE <a href="https://attack.mitre.org/">ATT&amp;CK</a>, see <a href="https://capec.mitre.org/about/attack_comparison.html">https://capec.mitre.org/about/attack_comparison.html</a>.</p>
@@ -2244,7 +2244,7 @@ <h2 id="risk-vulnerability_landscape-key-risk-factor-standards">Key <abbr title=
 <li><a href="https://cwe.mitre.org/">“<abbr title="CWE Common Weakness Enumeration">CWE</abbr></a> is the root mistake, which can lead to a vulnerability (tracked by <a href="https://cve.mitre.org/"><abbr title="CVE Common Vulnerability and Exposures. A standardized list of publicly known vulnerabilities and exposures maintained by the MITRE Corporation.">CVE</abbr></a> in some cases when known), which can be exploited by an attacker (using techniques covered by <a href="https://capec.mitre.org/">CAPEC</a>)”, which can lead to a <strong><a href="https://capec.mitre.org/custom/view.html?id=1000">Technical Impact</a></strong> (or consequence), which can result in a <strong>Business Impact</strong></li>
 <li><abbr title="National Vulnerability Database">NVD</abbr> uses <abbr title="CWE Common Weakness Enumeration">CWE</abbr>-1003 (Weaknesses for Simplified Mapping of Published Vulnerabilities)</li>
 <li>A <abbr title="CVE Common Vulnerability and Exposures. A standardized list of publicly known vulnerabilities and exposures maintained by the MITRE Corporation.">CVE</abbr> may have zero or more CWEs associated with it e.g. Log4Shell has 4 CWEs</li>
-<li>A <abbr title="CWE Common Weakness Enumeration">CWE</abbr> may have zero or more Common Consequences/Technical Impacts associated with it e.g. Log4Shell has 2</li>
+<li>A <abbr title="CWE Common Weakness Enumeration">CWE</abbr> may have zero or more Common Consequences/Technical Impacts associated with it e.g. <a href="#risk-log4shell-mitre-cwe-917">Log4Shell <abbr title="CWE Common Weakness Enumeration">CWE</abbr>-917</a> has 2.</li>
 <li>A <abbr title="CWE Common Weakness Enumeration">CWE</abbr> may be associated with zero or more CVEs e.g. <abbr title="CWE Common Weakness Enumeration">CWE</abbr>-917 is associated with <a href="https://nvd.nist.gov/vuln/detail/CVE-2023-22665"><abbr title="CVE Common Vulnerability and Exposures. A standardized list of publicly known vulnerabilities and exposures maintained by the MITRE Corporation.">CVE</abbr>-2023-22665</a>, <a href="https://nvd.nist.gov/vuln/detail/CVE-2023-27821"><abbr title="CVE Common Vulnerability and Exposures. A standardized list of publicly known vulnerabilities and exposures maintained by the MITRE Corporation.">CVE</abbr>-2023-41331</a>, <a href="https://nvd.nist.gov/vuln/detail/CVE-2023-41331"><abbr title="CVE Common Vulnerability and Exposures. A standardized list of publicly known vulnerabilities and exposures maintained by the MITRE Corporation.">CVE</abbr>-2023-41331</a>, and many other CVEs.</li>
 </ol>
 </div></section><section class="print-page" id="risk-understanding_risk"><h1 id="risk-understanding_risk-understanding-risk">Understanding <abbr title="The likelihood of a vulnerability being exploited and the potential impact of such an exploit on an organization.">Risk</abbr><a class="headerlink" href="#risk-understanding_risk-understanding-risk" title="Permanent link">&para;</a></h1>
@@ -4898,6 +4898,11 @@ <h1 class='nav-section-title' id='section-vendors'>
 <td>SCA tool shows <abbr title="Common Vulnerability Scoring System Standard. A framework for scoring the severity of vulnerabilities based on factors such as exploitability and impact.">CVSS</abbr> score, <abbr title="Exploit Prediction Scoring System">EPSS</abbr> score, and public exploits per <a href="https://docs.mend.io/bundle/sca_user_guide/page/public_exploits_in_mend_sca.html">https://docs.mend.io/bundle/sca_user_guide/page/public_exploits_in_mend_sca.html</a></td>
 <td></td>
 </tr>
+<tr>
+<td><strong>Phoenix.security</strong></td>
+<td>Phoenix Security adopts a refined approach to contextual vulnerability management, integrating a sophisticated risk formula that quantifies vulnerabilities on a scale from 0 to 1000. This method encompasses three principal components: base severity, the weighted likelihood of exploitation, and the weighted business impact at the vulnerability level.             <br><strong>Base Severity</strong>: Establishes the inherent risk posed by a vulnerability, serving as the foundational risk assessment metric.          <br><strong>Weighted Likelihood of Exploitation</strong>: This factor evaluates the probability of a vulnerability being exploited, incorporating contextual elements such as externability, cyber threat intelligence (with the Exploit Prediction Scoring System <abbr title="Exploit Prediction Scoring System">EPSS</abbr> among the key indicators), <abbr title="Cybersecurity &amp; Infrastructure Security Agency">CISA</abbr> Known Exploited Vulnerabilities (<abbr title="Known Exploited Vulnerability">KEV</abbr>), exploit availability, and exploit maturity levels (Proof of Concept, Exploitable, Weaponizable).             <br><strong>Weighted Business Impact</strong>: Assesses the potential impact of a vulnerability on business operations, factoring in both a user-assigned impact score (1-10 scale) and financial implications.                 This dimension does not directly influence the overall risk score through financial impact but provides a comprehensive view of the potential operational disruption. Vulnerabilities are systematically categorized across assets, applications, and environments, enhancing the precision of risk assessment. The likelihood of exploitation is detailed by combining external vulnerability data, threat intelligence, and the presence and maturity of exploits. Business impact evaluation includes user input and financial impact assessments, albeit without affecting the overall risk score.\<abbr title="The likelihood of a vulnerability being exploited and the potential impact of such an exploit on an organization.">Risk</abbr> aggregation considers asset criticality, whether an asset is internal or external, the volume of vulnerabilities, and groups them in ranges for effective prioritization and management. <br><br>This structured approach enables Phoenix Security to deliver a nuanced, actionable framework for addressing vulnerabilities in a targeted manner.Details on the risk formula are available here: <a href="https://phoenix.security/phoenix-security-act-on-risk-calculation/">https://phoenix.security/phoenix-security-act-on-risk-calculation/</a> For FAQ: <a href="https://phoenix.security/faqs/">https://phoenix.security/faqs/</a> .</td>
+<td>✅</td>
+</tr>
 </tbody>
 </table>
 <div class="admonition warning">

risk/Vulnerability_Landscape/index.html

@@ -1547,7 +1547,7 @@ <h2 id="key-risk-factor-standards">Key <abbr title="The likelihood of a vulnerab
 <p class="admonition-title"><abbr title="CVE Common Vulnerability and Exposures. A standardized list of publicly known vulnerabilities and exposures maintained by the MITRE Corporation.">CVE</abbr> - <abbr title="CWE Common Weakness Enumeration">CWE</abbr> - Technical Impact</p>
 <ol>
 <li>A <abbr title="CVE Common Vulnerability and Exposures. A standardized list of publicly known vulnerabilities and exposures maintained by the MITRE Corporation.">CVE</abbr> may have zero or more CWEs associated with it e.g. Log4Shell <abbr title="CVE Common Vulnerability and Exposures. A standardized list of publicly known vulnerabilities and exposures maintained by the MITRE Corporation.">CVE</abbr>-2021-44228 has 4 CWEs</li>
-<li>A <abbr title="CWE Common Weakness Enumeration">CWE</abbr> may have zero or more Common Consequences/Technical Impacts associated with it e.g. Log4Shell <abbr title="CVE Common Vulnerability and Exposures. A standardized list of publicly known vulnerabilities and exposures maintained by the MITRE Corporation.">CVE</abbr>-2021-44228 has 2</li>
+<li>A <abbr title="CWE Common Weakness Enumeration">CWE</abbr> may have zero or more Common Consequences/Technical Impacts associated with it e.g. <a href="../Log4Shell/#mitre-cwe-917">Log4Shell <abbr title="CWE Common Weakness Enumeration">CWE</abbr>-917</a> has 2.</li>
 <li>A <abbr title="CWE Common Weakness Enumeration">CWE</abbr> may be associated with zero or more CVEs.</li>
 </ol>
 <p>To understand MITRE <a href="https://capec.mitre.org/">CAPEC</a> vs MITRE <a href="https://attack.mitre.org/">ATT&amp;CK</a>, see <a href="https://capec.mitre.org/about/attack_comparison.html">https://capec.mitre.org/about/attack_comparison.html</a>.</p>
@@ -1568,7 +1568,7 @@ <h2 id="key-risk-factor-standards">Key <abbr title="The likelihood of a vulnerab
 <li><a href="https://cwe.mitre.org/">“<abbr title="CWE Common Weakness Enumeration">CWE</abbr></a> is the root mistake, which can lead to a vulnerability (tracked by <a href="https://cve.mitre.org/"><abbr title="CVE Common Vulnerability and Exposures. A standardized list of publicly known vulnerabilities and exposures maintained by the MITRE Corporation.">CVE</abbr></a> in some cases when known), which can be exploited by an attacker (using techniques covered by <a href="https://capec.mitre.org/">CAPEC</a>)”, which can lead to a <strong><a href="https://capec.mitre.org/custom/view.html?id=1000">Technical Impact</a></strong> (or consequence), which can result in a <strong>Business Impact</strong></li>
 <li><abbr title="National Vulnerability Database">NVD</abbr> uses <abbr title="CWE Common Weakness Enumeration">CWE</abbr>-1003 (Weaknesses for Simplified Mapping of Published Vulnerabilities)</li>
 <li>A <abbr title="CVE Common Vulnerability and Exposures. A standardized list of publicly known vulnerabilities and exposures maintained by the MITRE Corporation.">CVE</abbr> may have zero or more CWEs associated with it e.g. Log4Shell has 4 CWEs</li>
-<li>A <abbr title="CWE Common Weakness Enumeration">CWE</abbr> may have zero or more Common Consequences/Technical Impacts associated with it e.g. Log4Shell has 2</li>
+<li>A <abbr title="CWE Common Weakness Enumeration">CWE</abbr> may have zero or more Common Consequences/Technical Impacts associated with it e.g. <a href="../Log4Shell/#mitre-cwe-917">Log4Shell <abbr title="CWE Common Weakness Enumeration">CWE</abbr>-917</a> has 2.</li>
 <li>A <abbr title="CWE Common Weakness Enumeration">CWE</abbr> may be associated with zero or more CVEs e.g. <abbr title="CWE Common Weakness Enumeration">CWE</abbr>-917 is associated with <a href="https://nvd.nist.gov/vuln/detail/CVE-2023-22665"><abbr title="CVE Common Vulnerability and Exposures. A standardized list of publicly known vulnerabilities and exposures maintained by the MITRE Corporation.">CVE</abbr>-2023-22665</a>, <a href="https://nvd.nist.gov/vuln/detail/CVE-2023-27821"><abbr title="CVE Common Vulnerability and Exposures. A standardized list of publicly known vulnerabilities and exposures maintained by the MITRE Corporation.">CVE</abbr>-2023-41331</a>, <a href="https://nvd.nist.gov/vuln/detail/CVE-2023-41331"><abbr title="CVE Common Vulnerability and Exposures. A standardized list of publicly known vulnerabilities and exposures maintained by the MITRE Corporation.">CVE</abbr>-2023-41331</a>, and many other CVEs.</li>
 </ol>
 </div>