Hello and welcome to the Tuesday, April 21st, 2006 edition of the Sands Internet Storm Centers.

Stormcast, my name is Johannes Ulrich, recording day from Amsterdam, Netherlands.

And this episode is brought you by the sands.edu credit certificate program

in cybersecurity leadership. Well, I already mentioned that we do have this flood of new

vulnerabilities that's currently sort of hitting the CVE database that has caused the issues like, for example,

NVD no longer being able to really provide enrichment for many of the new discovered

vulnerabilities. So what are some of the alternatives? And we do have an option here by

Xavier, the EPSS.

EPSS stands for the exploit probability scoring system, and what it attempts to accomplish is

to essentially assign a probability to a vulnerability to figure out how likely it is to

actually be exploited, which of course then

assists you in properly prioritizing this vulnerability. What also makes this interesting is that

this is a newer system was just introduced a few years ago and updated then again three years ago.

Well, this system developed by first is based on an automatic generation of these EPSS scores.

So that makes it sort of more inherently scalable than some of the work that NIST has been doing. So pretty interesting number

that you can add to your vulnerability management process. And to help you out with this,

Xavier also demonstrated how to automatically use it to enrich your data. And as an example,

Xavier implemented this enrichment in Wazoo.

So take a look at the diary and see if this is something that may be useful for your

vulnerability management program. And talking about all the things that can go wrong when

you are rolling out patches. Well, Microsoft this weekend did release an out-of-band patch for Server 2025 to address

issues that were introduced with the security updates released last Tuesday.

...