Application security

Why your company should prioritize security vulnerabilities by severity

Ted Harrington
February 2, 2022 by
Ted Harrington

Imagine that your application has two security flaws: one partially exposes non-identifying user information, while the other substantially exposes login credentials of your entire user base, including admin credentials. Of these two vulnerabilities, which would you want to fix first?

You’d want to deal with the latter immediately. That’s because vulnerabilities are not all the same; some are catastrophic, whereas others are not. 

To most effectively deal with security vulnerabilities in your company’s application, you’ll want to understand how severe they are, triage them based on severity and deal with them in a prioritized order. 

Download Ted's free ebook, "How to secure your software faster and better."

Get Your Copy

What causes vulnerabilities?

Before prioritizing and fixing your system’s vulnerabilities, it’s important to understand their nature. Where they came from impacts what you need to do to fix them. Your vulnerabilities result either from how you designed the system or from how you implemented that design. 

Implementation flaws are when the system works differently than intended. For example, you designed an authentication model that allows access for some users and prevents access for everyone else. A vulnerability might enable an attacker to bypass that protection. 

You obviously didn’t mean it to work that way, but nevertheless, it did. Issues like this happen when the design is fine, but you made a mistake in how you executed it. Fixing these issues means correcting those mistakes.

By contrast, design flaws are issues with the design itself. They happen when the system works exactly as intended, and yet the attacker can use that intended functionality to exploit the system anyway. 

For example, you might implement rate limiting to lock an account that receives too many failed login attempts. However, if poorly designed, it could provide an attacker a way to intentionally trigger it across all users, making the system unusable. 

Fixing design-level issues requires you to adjust the design itself. Depending on the issue, that could be a tremendous undertaking.

Grading vulnerability severity

Now that you understand the nature of vulnerabilities, you’ll want to grade the severity of a given flaw. 

Vulnerability severity balances many factors, including attacker skill, motivation, access and resources. It accounts for the complexity of both the system and the attack. It considers how easy the vulnerability would be to exploit and how catastrophic the outcome would be if that happened. It also helps you figure out what to remediate first. 

You want a system in place to grade severity so you know where to focus your efforts, and in what order. With a system in place, the highest-risk security flaws can be dealt with as quickly as possible. 

Note that grading severity is an imperfect science. It’s highly dependent on your specific situation, and security professionals may vary slightly in how they define or measure it. No matter what, though, severity ratings should be customized to the system evaluated. 

Different levels of severity 

Irrespective of how severity is determined, vulnerabilities typically fall into categories: critical, high, medium and low.

Low-severity vulnerabilities leave assets partially exposed to attack but don’t pose an immediate threat to the most valuable assets. Medium vulnerabilities are not a significant risk to the system alone but could lead to exploitation if combined with other issues. High-level vulnerabilities heavily expose the system but demand additional attack requirements. Critical vulnerabilities are readily exploitable or substantially exposed and would deliver excessive damage. 

Once you’ve categorized your company’s vulnerabilities, how should you respond?

Fix the most dangerous vulnerabilities first, and then plan how to address the rest. With critical and high-severity vulnerabilities, that means stop everything and address the issues right away. Fixes for medium and low vulnerabilities can be integrated into your development roadmap and addressed over time. 

11 courses, 8+ hours of training

11 courses, 8+ hours of training

Learn cybersecurity from Ted Harrington, the #1 best-selling author of "Hackable: How to Do Application Security Right."

Remediating your vulnerabilities

As a security effort, grading and fixing vulnerabilities is done collaboratively between your in-house teams and an external security partner. Usually, what happens is your security partner assigns the severity rating, and you work with them to adjust if needed. 

As far as how to do the remediation, that advice is pretty straightforward: follow the guidance outlined in your security assessment report. Assuming you’ve hired a reputable external security partner and performed the right kind of testing, this part is as simple as it gets. The instructions should be right there for you in the report deliverable, and your security partner can guide you if you get confused (if you don’t have these things, you may be investing in the wrong kind of security testing).

You’ve already prioritized the vulnerabilities by severity; now you just need to remediate them starting with the highest-risk vulnerabilities first. With this plan in place, critical flaws that risk your most important assets won’t get lost at the bottom of the “to-do” pile. Instead, you’ll be ready to catch and deal with them as soon as they appear — leaving little time for your system to be exploited by attackers. 

Ted Harrington
Ted Harrington

Ted Harrington is the #1 bestselling author of "Hackable", which led to his TED talk “Why You Need To Think Like a Hacker.” He’s the Executive Partner at ISE, the company of ethical hackers famous for hacking cars, medical devices, and web apps; he also co-founded START, software which simplifies vendor risk management. His clients include Google, Amazon, and Netflix, and he has been featured in more than 100 media outlets, including The Wall Street Journal, Financial Times, and Forbes. His team founded IoT Village, an event series whose hacking contest is a four-time DEF CON Black Badge winner, and he hosts the Tech Done Different podcast.