Getting CVSS, NVD, and CVEs to Work for You: Standardizing and Scaling Your Vulnerability Risk Analysis

BSidesLV 2019

Presented by: Matthew Hahn, Luke Szczutowski
Date: Wednesday August 07, 2019
Time: 14:30 - 14:55
Location: Common Ground

Organizations are routinely required to present their risk and security posture to customers, management, and auditors. There are a myriad of vulnerability datasets and online risk scoring tools available, but how can you use them to your advantage? This talk will focus on not only getting those troublesome scores and online databases to cooperate, but also setting them up to do your work for you. We will review current standard data sources and scoring models; various ways common environmental factors mitigate risk and how they apply in CVSS scoring calculations; and how to aggregate and use the results to inform security decisions within your organization.

Matthew Hahn

Matt is a Director of Information Security at First Information Technology Services with over 10 years of professional experience in the regulatory environments of IT security, housing, and accounting. He specializes in vulnerability management and risk analysis, and he is an expert in FedRAMP Continuous Monitoring with working knowledge of the entire FedRAMP process. In his role at FITS, Matt manages continuous monitoring work for commercial clients and provides guidance to customers for their compliance audits. He uses his expertise to help customers drive vulnerability remediation and improve their cybersecurity risk posture.

Luke Szczutowski

Luke is an Offensive Security Certified Professional and a professionally trained digital forensic analyst regularly involved in local and national cybersecurity events, including competing yearly at DEF CON. Luke currently works as a Security Analyst on the Azure team at Microsoft, applying his passion for offensive security to provide expert-level risk analysis. He has previously led penetration tests as a part of 3PAO engagements for clients pursuing FedRAMP accreditation, and he has extensive experience driving vulnerability management in hyperscale cloud environments and scoring risks using CVSS.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats