The final part of triage is understanding the types of vulnerabilities that should worry you most. Different types of vulnerabilities present different types of risks. If an exploit isn’t available, that certainly lowers the risk. However, just as each application poses different risks, the types of vulnerabilities that should worry you most differ per application as well.
Some may enable attackers to execute denial of service attacks, some may result in escalated privileges, while others could allow the attacker to read or modify data. These are referred to as the “technical impacts” of a vulnerability, and are important from a security standpoint.
For instance, if your business involves a social media application, maintaining uptime, or availability of the application may be critical. A distributed denial of service (DDoS) attack will affect revenue by limiting advertising exposures, and frustrate users who can’t publish updates to their social media profile. In this type of application, high technical impact vulnerabilities for reduced availability have a higher priority over others. Conversely, if you have an online banking application, you would much rather have the application be unavailable than have an attack that might allow the hacker to execute code, or read or modify data.
You can determine the technical impact from a vulnerability by checking the CWE, or Common Weakness Enumerator for a particular vulnerability. Each CVE can be mapped to a software weakness, and each weakness can in turn be mapped to various technical impacts. This type of information helps you improve your vulnerability management process immeasurably.