Low-, medium-, and high-severity patching cadences analyzed

This article addresses three informational issue types:

• Low-severity CVE patching analyzed
• Medium-severity CVE patching analyzed
• High-severity CVE patching analyzed

Names in API: patching_analysis_low, patching_analysis_medium, patching_analysis_high
No severity: Informational
Factor: Patching Cadence
Those issues types are not available in Custom Scorecards.

Why this matters

Keeping software versions up to date in a timely and repeatable cadence for all your assets is critically important, not only for your cybersecurity posture, but also for optimal performance of your network services:

• Mitigate vulnerabilities as soon as possible to prevent exploits and reduce your asset exposure.
• Keep your compliance efforts current with industry standards.
• Deploy bug fixes as soon as they are available to keep customers happy.
• Reduce operational downtime by keeping your systems up to date. 

How we make this analysis

We analyze patching coverage for Common Vulnerabilities and Exposures (CVEs) that we found in your environment. We base this analysis on:

• The number and percentage of high-severity vulnerabilities that were resolved on the network since their detection
• The average resolution time over a 180-day period.

We publish these findings with every scoring update and break them down in a table of metrics for each issue type:

Patching analysis for three severity tiers

We publish this analysis in three issue types based on CVE severity level, as rated in the National Vulnerability Database:

• Low-severity CVEs have a Common Vulnerability Scoring System (CVSS v2) base score of lower than 4.0.
• Medium-severity CVEs have a Common Vulnerability Scoring System (CVSS v2) base score that ranges between 4.0 and 6.9.
• High-severity CVEs have a Common Vulnerability Scoring System (CVSS v2) base score that ranges between 7.0 and 10.

What actions can you take?

Observe the following best practices to maintain a healthy patching program:

• Monitor CVE lists and vulnerability repositories for exploit code that may affect the network infrastructure.
• Subscribe to the National Vulnerability Database (NVD) RSS or other feeds to learn of new exploits and vulnerabilities as they are released.
• Maintain a regular updating schedule for all your software and hardware, and apply all the latest patches as they are released.
• Correlate this analysis with individual CVE findings in your Scorecard to help you better understand the effectiveness of your patching practices.

Can resolve these issue types in SecurityScorecard?

You cannot submit Resolution requests for these three issue types. They do not directly point out specific risks or problems. They summarize how quickly you apply patches for different vulnerabilities.