How do I evaluate an open source vulnerability’s risk to my organization?
Vulnerabilities are constantly being discovered, and there is no blanket fix–each one is unique. A best practice is to decide which risks your organization can tolerate. When making an assessment, consider the following
Impact
How bad would it be if your organization’s application was attacked using the vulnerability?
Example: Any vulnerability that gives an attacker access to additional data is a big risk for an application that processes payments. But it might not be as risky on an application that only stores email addresses.
Exploitability
How easy is it to execute the vulnerability? Vulnerabilities that require more work to exploit are lower risk than those that are easy to take advantage of.
Aspects to consider:
Required permissions.
Level of access.
Overall complexity
Cost
Fixing a vulnerability takes money and a good amount of developers’ time. How expensive an open source vulnerability will be to address depends on how it can be remediated.
In many cases, the vulnerable component can be upgraded to a compatible patched version. When there isn’t a compatible version available, an organization will be forced to switch libraries or patch the components themselves. Both require a lot of work and resources that not everyone has.
