Patch What Matters: Rethinking Vulnerability Prioritization

Transcript

1. Patch What Matters OWASP Berlin Meetup 03.12.2025 Ali Yazdani Rethinking

   Vulnerability Prioritization

2. Readme Ali Yazdani • A Security Engineer • +10 years

   of security experience • OWASP MSTG Contributor • OWASP DevSecOps Guideline Project Lead https://www.youtube.com/@SecurityTalks https://scandog.io https://asecurityengineer.com

3. The Problem Alert Fatigue is Real • Enterprise avg: 10K+

   vulns/month • SAST: 40-70% FP rate • SCA: 80% findings in transitive deps • Container: 100+ CVEs per base image • Remediation rate: <5% Root cause: CVSS-based prioritization doesn't work!

4. 4 Prioritization Framework Risk = Severity × EPSS*1 × KEV*2

   × Reachability × Exposure Condition EPSS Reachable Priority KEV=true Any Any P0 - Fix KEV=false >50% Yes P0 - Fix KEV=false 10-50% Yes P1 - Plan KEV=false >10% No P2 - Track KEV=false <10% Any P3 - Ignore *1 - EPSS (Exploit Prediction Scoring System): • Predicts probability of exploitation in next 30 days • Uses ML trained on real-world exploit data • Scale: 0.00001 (0.001%) to 1.0 (100%) • Percentile ranking shows relative risk • https://api.first.org/data/v1/epss *2 - KEV (Known Exploited Vulnerabilities): • CISA catalog of actively exploited CVEs • Updated continuously with real incidents • https://www.cisa.gov/known-exploited-vulnerabilities

5. Reachability

6. SAST - Dataflow Analysis Dataflow analysis tracks how data moves

   through your code to find security vulnerabilities. The Three Key Elements: • Source (where dangerous data enters) a. User input: request.args.get('id') b. Data is marked as TAINTED • Sanitizer (functions that clean data) a. bleach.clean(), int(), parameterized queries b. Should remove the taint • Sink (dangerous operations) a. db.execute(), os.system(), eval() b. If tainted data reaches here → vulnerability

7. SAST - Dataflow Taint Analysis Tracking: Dataflow Graph:

8. What is a Call Graph? A call graph is a

   map showing which functions call which other functions in your code. Think of it like a family tree, but for function calls. SAST - Call Graph

9. SAST - Call Graph - Interprocedural Analysis

10. What is Tree-sitter? Tree-sitter is a parser generator that creates

    an Abstract Syntax Tree (AST) for code. Think of it as understanding the grammar and structure of code, not just pattern matching. SAST - Tree-sitter

11. SAST - Tree-sitter - Example 1 What Tree-sitter Sees: 1.

    Parse the code into AST 2. Find `FunctionDef` node named `api_endpoint` 3. Check for `decorator_list` child node 4. Find `csrf_exempt` in decorator list 5. Conclusion: This function explicitly exempts CSRF (API endpoint, likely uses token auth) 6. Result: Don't flag as missing CSRF protection False Positive (Should be Safe)

12. SAST - Tree-sitter - Example 2 What Tree-sitter Sees: 1.

    Parse the code into AST 2. Find `FunctionDef` node named `payment_form` 3. Check for `decorator_list` child node 4. decorator_list is EMPTY (no decorators) 5. Check if framework provides default CSRF (Django does for POST) 6. No `@csrf_exempt`, but also no explicit `@csrf_protect` 7. Conclusion: Vulnerable if not using Django's middleware 8. Result: Flag as potential CSRF vulnerability ❌ True Positive (Actually Vulnerable)

13. SCA - Call Graph Analysis

14. SCA - Dependency Tree Analysis

15. Container - EPSS/KEV

16. Container - Layer Context

17. 17 Questions? OWASP Berlin Meetup

18. 18 This project aims to build a community-driven repository of

    detailed, service-specific threat models for widely used cloud, container, and web services (e.g., AWS S3, EKS, NGINX, PostgreSQL, OAuth). It bridges the gap between generic frameworks and real-world infrastructure challenges by offering actionable threats, clear categorizations, mitigation guidance, and tool integrations—helping teams design and assess systems with better, more practical security. OWASP Threat Atlas

19. THANK YOU Ali Yazdani OWASP Berlin Meetup - 03.12.2025