Every organization starting a security testing program struggles with addressing vulnerabilities. With limited resources in virtually all organizations, prioritizing this work is a requirement. That's where assessing vulnerability criticality comes in.
My previous post explained three steps to risk ranking your applications. This is critical because, quite simply, some of your applications warrant more scrutiny than others. Those applications that manage sensitive data or are core to achieving your business goals should be at the top of your list. Other applications, perhaps those that can’t be reached from outside your environment, may deserve less of your attention.
Once you have prioritized your applications, the next step is understanding which vulnerabilities pose the greatest risk.