{"id":49808,"date":"2018-01-31T00:00:00","date_gmt":"2018-01-31T00:00:00","guid":{"rendered":"https:\/\/www.techopedia.com\/qualitative-vs-quantitative-time-to-change-how-we-assess-the-severity-of-third-party-vulnerabilities\/"},"modified":"2021-07-12T19:27:02","modified_gmt":"2021-07-12T19:27:02","slug":"qualitative-vs-quantitative-time-to-change-how-we-assess-the-severity-of-third-party-vulnerabilities","status":"publish","type":"post","link":"https:\/\/www.techopedia.com\/qualitative-vs-quantitative-time-to-change-how-we-assess-the-severity-of-third-party-vulnerabilities\/2\/33184","title":{"rendered":"Qualitative vs Quantitative: Time to Change How We Assess the Severity of Third-Party Vulnerabilities?"},"content":{"rendered":"<p>Developing a system for assessing how seriously the <a href=\"\/definition\/16431\/software-development\" target=\"_blank\">software development<\/a> community should take vulnerabilities is a challenge, to put it lightly. <a href=\"\/definition\/589\/code\" target=\"_blank\">Code<\/a> is written by humans, and will always have flaws. The question then, if we assume that nothing will ever be perfect, is how do we best categorize the components according to their risk in a way that allows us to continue to work productively?<\/p>\n<h2><span id=\"just_the_facts\">Just the Facts<\/span><\/h2>\n<p>While there are many different approaches that one could take in tackling this problem, each with their own valid justification, the most common method appears to be based on a quantitative model.<\/p>\n<p>On the one hand, using a quantitative approach to judging the severity of a <a href=\"\/definition\/13484\/vulnerability\" target=\"_blank\">vulnerability<\/a> can be useful in that it is more objective and measurable, based solely on the factors related to the vulnerability itself.<\/p>\n<p>This methodology looks at what kind of damage could occur should the vulnerability be exploited, considering how widely used the component, library, or project is used throughout the software industry, as well as factors such as what kind of access it could give an attacker to wreck havoc should they use it to <a href=\"\/definition\/29060\/security-breach\" target=\"_blank\">breach<\/a> their target. Factors like easy potential exploitability can play a big role here in affecting the score. (For more on security, check out <a href=\"\/cybersecurity-how-new-advances-bring-new-threats-and-vice-versa\/2\/33054\" target=\"_blank\">Cybersecurity: How New Advances Bring New Threats &#8211; And Vice Versa<\/a>.)<\/p>\n<p>If we want to look on a macro level, the quantitative perspective looks at how a vulnerability could hurt the herd, focusing less on the damage that could fall upon the companies that are actually hit with the attack.<\/p>\n<p>The <a href=\"\/definition\/29829\/national-vulnerability-database-nvd\" target=\"_blank\">National Vulnerability Database<\/a> (NVD), perhaps the most well known <a href=\"\/definition\/1185\/database-db\" target=\"_blank\">database<\/a> of vulnerabilities, takes this approach for both versions 2 and 3 their Common Vulnerability Scoring System (CVSS). On their page explaining their metrics for evaluating vulnerabilities, they write of their method that:<\/p>\n<p style=\"margin-left: 20px;\">Its quantitative model ensures repeatable accurate measurement while enabling users to see the underlying vulnerability characteristics that were used to generate the scores. Thus, CVSS is well suited as a standard measurement system for industries, organizations, and governments that need accurate and consistent vulnerability impact scores.<\/p>\n<p>Based on the quantitative factors at play, the NVD is then able to come up with a severity score, both with a number on their scale \u2013 1 through 10, with 10 being the most severe \u2013 as well as categories of LOW, MEDIUM and HIGH.<\/p>\n<h2><span id=\"accounting_for_impact\">Accounting for Impact?<\/span><\/h2>\n<p>However, the NVD appears to be making an effort to stay clear of what we can term as more a qualitative measure of a vulnerability, based on how impactful a certain exploit has been in causing damage. To be fair, they incorporate impact in so far as they measure the impact of the vulnerability on the system, looking at the factors of <a href=\"\/definition\/10254\/confidentiality\" target=\"_blank\">confidentiality<\/a>, <a href=\"\/definition\/10284\/integrity\" target=\"_blank\">integrity<\/a> and <a href=\"\/definition\/990\/availability\" target=\"_blank\">availability<\/a>. These are all important elements to look at \u2013 like with the more easily measurable access vector, access complexity, and <a href=\"\/definition\/342\/authentication\" target=\"_blank\">authentication<\/a> \u2013 but they do not feel up to the task of relating the real-world impact when a vulnerability causes an organization real losses.<\/p>\n<p>Take, for example, the Equifax breach that exposed the <a href=\"\/definition\/4046\/personally-identifiable-information-pii\" target=\"_blank\">personally identifiable information<\/a> of some 145 million people, including their driver&#8217;s license details, social security numbers and other bits that could be used by unscrupulous characters to carry out massive fraud operations.<\/p>\n<p>It was the vulnerability (CVE-2017-5638) that was discovered in the <a href=\"\/definition\/3984\/struts-framework\" target=\"_blank\">Apache Struts 2<\/a> project that Equifax used in their web app that allowed the attackers to walk in the front door and eventually make it out with their arms full of juicy personal info.<\/p>\n<p>While the NVD rightly gave it a severity score of 10 and HIGH, their decision was due to their quantitative assessment of its potential damage and was not affected by the extensive damage that occurred later when the Equifax breach became public.<\/p>\n<p>This is not an oversight by the NVD, but a part of their stated policy.<\/p>\n<p style=\"margin-left: 20px;\">The NVD provides CVSS &#8220;base scores&#8221; which represent the innate characteristics of each vulnerability. We do not currently provide &#8220;temporal scores&#8221; (metrics that change over time due to events external to the vulnerability) or &#8220;environmental scores&#8221; (scores customized to reflect the impact of the vulnerability on your organization).<\/p>\n<p>For decision-makers, the quantitative measuring system should matter less since it is looking at the chances that it will spread harm across the industry. If you are the <a href=\"\/definition\/10484\/chief-security-officer-cso\" target=\"_blank\">CSO<\/a> of a bank, you should be concerned with the qualitative impact that an exploit can have if it is used to make off with your customer\u2019s data, or worse, their money. (Learn about different types of vulnerabilities in <a href=\"\/security\/the-5-scariest-threats-in-tech\/2\/27787\" target=\"_blank\">The 5 Scariest Threats In Tech<\/a>.)<\/p>\n<h2><span id=\"time_to_change_the_system\">Time to Change the System?<\/span><\/h2>\n<p>So should the vulnerability in Apache Strusts 2 that was used in the Equifax case receive a higher ranking in light of how extensive the damage turned out to be, or would making the shift turn out to be far too subjective for a system like the NVD to keep up on?<\/p>\n<p>We grant that coming up with the necessary data to come up with an &#8220;environmental score&#8221; or &#8220;temporal score&#8221; as described by the NVD would be exceedingly difficult, opening the managers of the free CVSS team up to unending criticism and a ton of work for the NVD and others for updating their databases as new information comes out.<\/p>\n<p>There is, of course, the question about how such a score would be compiled, as very few organizations are likely to offer up the necessary data on the impact of a breach unless they were required to by a disclosure law. We have seen from the case of Uber that companies are willing to <a href=\"https:\/\/www.nytimes.com\/2017\/11\/21\/technology\/uber-hack.html\" rel=\"noopener noreferrer\" target=\"_blank\">pay out quickly<\/a> in hopes of keeping the information surrounding a breach from reaching the press lest they face a public backlash.<\/p>\n<p>Perhaps what is necessary is a new system that could incorporate the good efforts from the vulnerability databases and add their own additional score when information becomes available so security and <a href=\"https:\/\/www.techopedia.com\/antivirus\/best-antivirus-software\">antivirus software<\/a> can prioritize the most urgent issues.<\/p>\n<p>Why instigate this extra layer of scoring when the previous one appears to have done its job well enough all these years?<\/p>\n<p>Frankly, it comes down to accountability for organizations to take responsibility for their applications. In an ideal world, everyone would check the scores of the components that they use in their products before adding them to their inventory, receive alerts when new vulnerabilities are discovered in projects previously thought to be safe and implement the necessary <a href=\"\/definition\/24537\/patch\" target=\"_blank\">patches<\/a> all on their own.<\/p>\n<p>Perhaps if there was a list that showed how devastating some of these vulnerabilities could be for an organization, then organizations might feel more pressure not to get caught with risky components. At the very least, they might take steps to take a real inventory of which <a href=\"\/definition\/3294\/open-source\" target=\"_blank\">open-source<\/a> libraries they already have.<\/p>\n<p>In the aftermath of the <a href=\"https:\/\/resources.whitesourcesoftware.com\/white-papers\/how-software-composition-analysis-could-have-prevented-the-equifax-breach\" rel=\"nofollow noopener noreferrer\" target=\"_blank\">Equifax fiasco<\/a>, more than one <a href=\"\/definition\/13928\/c-level-executive\" target=\"_blank\">C-level executive<\/a> was likely scrambling to make sure that they did not have the vulnerable version of Struts in their products. It is unfortunate that it took an incident of this magnitude to push the industry to take their open-source security seriously.<\/p>\n<p>Hopefully the lesson that vulnerabilities in the open-source components of your applications can have very real-world consequences will have an impact on how decision makers prioritize security, choosing the right tools to keep their products and customers\u2019 data safe.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Developing a system for assessing how seriously the software development community should take vulnerabilities is a challenge, to put it lightly. Code is written by humans, and will always have flaws. The question then, if we assume that nothing will ever be perfect, is how do we best categorize the components according to their risk [&hellip;]<\/p>\n","protected":false},"author":7749,"featured_media":49809,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_lmt_disableupdate":"","_lmt_disable":"","om_disable_all_campaigns":false,"footnotes":""},"categories":[548,560,546],"tags":[],"category_partsoff":[],"class_list":["post-49808","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","category-privacy-and-compliance","category-software-development"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v23.8 (Yoast SEO v23.8) - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Qualitative vs Quantitative: Time to Change How We Assess the Severity of Third-Party Vulnerabilities? - Techopedia<\/title>\n<meta name=\"description\" content=\"Everyone knows that a chain is only as strong as its weakest link, and the same goes for software - its security is only as strong as its weakest component.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.techopedia.com\/qualitative-vs-quantitative-time-to-change-how-we-assess-the-severity-of-third-party-vulnerabilities\/2\/33184\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Qualitative vs Quantitative: Time to Change How We Assess the Severity of Third-Party Vulnerabilities?\" \/>\n<meta property=\"og:description\" content=\"Everyone knows that a chain is only as strong as its weakest link, and the same goes for software - its security is only as strong as its weakest component.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.techopedia.com\/qualitative-vs-quantitative-time-to-change-how-we-assess-the-severity-of-third-party-vulnerabilities\/2\/33184\" \/>\n<meta property=\"og:site_name\" content=\"Techopedia\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/techopedia\/\" \/>\n<meta property=\"article:published_time\" content=\"2018-01-31T00:00:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2021-07-12T19:27:02+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.techopedia.com\/wp-content\/uploads\/2023\/02\/word-biscuit-cookie-food-brochure-flyer-paper-poster-alphabet-ampersan-1.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1\" \/>\n\t<meta property=\"og:image:height\" content=\"1\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Rami Sass\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@techopedia\" \/>\n<meta name=\"twitter:site\" content=\"@techopedia\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Rami Sass\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.techopedia.com\/qualitative-vs-quantitative-time-to-change-how-we-assess-the-severity-of-third-party-vulnerabilities\/2\/33184#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.techopedia.com\/qualitative-vs-quantitative-time-to-change-how-we-assess-the-severity-of-third-party-vulnerabilities\/2\/33184\"},\"author\":{\"name\":\"Rami Sass\",\"@id\":\"https:\/\/www.techopedia.com\/#\/schema\/person\/e66bbd6dd5d22b7952e1fa04a0542d25\"},\"headline\":\"Qualitative vs Quantitative: Time to Change How We Assess the Severity of Third-Party Vulnerabilities?\",\"datePublished\":\"2018-01-31T00:00:00+00:00\",\"dateModified\":\"2021-07-12T19:27:02+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.techopedia.com\/qualitative-vs-quantitative-time-to-change-how-we-assess-the-severity-of-third-party-vulnerabilities\/2\/33184\"},\"wordCount\":1235,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/www.techopedia.com\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.techopedia.com\/qualitative-vs-quantitative-time-to-change-how-we-assess-the-severity-of-third-party-vulnerabilities\/2\/33184#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.techopedia.com\/wp-content\/uploads\/2023\/02\/word-biscuit-cookie-food-brochure-flyer-paper-poster-alphabet-ampersan-1.jpg\",\"articleSection\":\"\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.techopedia.com\/qualitative-vs-quantitative-time-to-change-how-we-assess-the-severity-of-third-party-vulnerabilities\/2\/33184#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.techopedia.com\/qualitative-vs-quantitative-time-to-change-how-we-assess-the-severity-of-third-party-vulnerabilities\/2\/33184\",\"url\":\"https:\/\/www.techopedia.com\/qualitative-vs-quantitative-time-to-change-how-we-assess-the-severity-of-third-party-vulnerabilities\/2\/33184\",\"name\":\"Qualitative vs Quantitative: Time to Change How We Assess the Severity of Third-Party Vulnerabilities? - Techopedia\",\"isPartOf\":{\"@id\":\"https:\/\/www.techopedia.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.techopedia.com\/qualitative-vs-quantitative-time-to-change-how-we-assess-the-severity-of-third-party-vulnerabilities\/2\/33184#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.techopedia.com\/qualitative-vs-quantitative-time-to-change-how-we-assess-the-severity-of-third-party-vulnerabilities\/2\/33184#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.techopedia.com\/wp-content\/uploads\/2023\/02\/word-biscuit-cookie-food-brochure-flyer-paper-poster-alphabet-ampersan-1.jpg\",\"datePublished\":\"2018-01-31T00:00:00+00:00\",\"dateModified\":\"2021-07-12T19:27:02+00:00\",\"description\":\"Everyone knows that a chain is only as strong as its weakest link, and the same goes for software - its security is only as strong as its weakest component.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.techopedia.com\/qualitative-vs-quantitative-time-to-change-how-we-assess-the-severity-of-third-party-vulnerabilities\/2\/33184#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.techopedia.com\/qualitative-vs-quantitative-time-to-change-how-we-assess-the-severity-of-third-party-vulnerabilities\/2\/33184\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.techopedia.com\/qualitative-vs-quantitative-time-to-change-how-we-assess-the-severity-of-third-party-vulnerabilities\/2\/33184#primaryimage\",\"url\":\"https:\/\/www.techopedia.com\/wp-content\/uploads\/2023\/02\/word-biscuit-cookie-food-brochure-flyer-paper-poster-alphabet-ampersan-1.jpg\",\"contentUrl\":\"https:\/\/www.techopedia.com\/wp-content\/uploads\/2023\/02\/word-biscuit-cookie-food-brochure-flyer-paper-poster-alphabet-ampersan-1.jpg\",\"caption\":\"BrianAJackson\/iStockphoto\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.techopedia.com\/qualitative-vs-quantitative-time-to-change-how-we-assess-the-severity-of-third-party-vulnerabilities\/2\/33184#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.techopedia.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Cybersecurity\",\"item\":\"https:\/\/www.techopedia.com\/topic\/4\/cybersecurity\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Qualitative vs Quantitative: Time to Change How We Assess the Severity of Third-Party Vulnerabilities?\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.techopedia.com\/#website\",\"url\":\"https:\/\/www.techopedia.com\/\",\"name\":\"Techopedia\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/www.techopedia.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.techopedia.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.techopedia.com\/#organization\",\"name\":\"Techopedia\",\"url\":\"https:\/\/www.techopedia.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.techopedia.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.techopedia.com\/wp-content\/uploads\/2023\/08\/techopedia-light.svg\",\"contentUrl\":\"https:\/\/www.techopedia.com\/wp-content\/uploads\/2023\/08\/techopedia-light.svg\",\"width\":209,\"height\":37,\"caption\":\"Techopedia\"},\"image\":{\"@id\":\"https:\/\/www.techopedia.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/techopedia\/\",\"https:\/\/x.com\/techopedia\",\"https:\/\/www.linkedin.com\/company\/techopedia\/\",\"https:\/\/www.youtube.com\/c\/Techopedia\"],\"publishingPrinciples\":\"https:\/\/www.techopedia.com\/about\/editorial-policy\",\"ownershipFundingInfo\":\"https:\/\/www.techopedia.com\/about\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.techopedia.com\/#\/schema\/person\/e66bbd6dd5d22b7952e1fa04a0542d25\",\"name\":\"Rami Sass\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.techopedia.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/www.techopedia.com\/wp-content\/uploads\/2023\/02\/human-people-person-face-portrait-man-head.jpg\",\"contentUrl\":\"https:\/\/www.techopedia.com\/wp-content\/uploads\/2023\/02\/human-people-person-face-portrait-man-head.jpg\",\"caption\":\"Rami Sass\"},\"description\":\"Rami Sass is CEO and Co-Founder of WhiteSource, the leading open source security and compliance management platform. Rami is an experienced entrepreneur and executive with vast experience in defining innovative products, leading technology groups and growing companies from seed level to business maturity.\",\"sameAs\":[\"https:\/\/www.whitesourcesoftware.com\/\",\"https:\/\/www.linkedin.com\/in\/sassrami\/\"],\"knowsAbout\":[\"CEO and Co-Founder of WhiteSource\"],\"url\":\"https:\/\/www.techopedia.com\/contributors\/rami-sass\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Qualitative vs Quantitative: Time to Change How We Assess the Severity of Third-Party Vulnerabilities? - Techopedia","description":"Everyone knows that a chain is only as strong as its weakest link, and the same goes for software - its security is only as strong as its weakest component.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.techopedia.com\/qualitative-vs-quantitative-time-to-change-how-we-assess-the-severity-of-third-party-vulnerabilities\/2\/33184","og_locale":"en_US","og_type":"article","og_title":"Qualitative vs Quantitative: Time to Change How We Assess the Severity of Third-Party Vulnerabilities?","og_description":"Everyone knows that a chain is only as strong as its weakest link, and the same goes for software - its security is only as strong as its weakest component.","og_url":"https:\/\/www.techopedia.com\/qualitative-vs-quantitative-time-to-change-how-we-assess-the-severity-of-third-party-vulnerabilities\/2\/33184","og_site_name":"Techopedia","article_publisher":"https:\/\/www.facebook.com\/techopedia\/","article_published_time":"2018-01-31T00:00:00+00:00","article_modified_time":"2021-07-12T19:27:02+00:00","og_image":[{"url":"https:\/\/www.techopedia.com\/wp-content\/uploads\/2023\/02\/word-biscuit-cookie-food-brochure-flyer-paper-poster-alphabet-ampersan-1.jpg","width":1,"height":1,"type":"image\/jpeg"}],"author":"Rami Sass","twitter_card":"summary_large_image","twitter_creator":"@techopedia","twitter_site":"@techopedia","twitter_misc":{"Written by":"Rami Sass","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.techopedia.com\/qualitative-vs-quantitative-time-to-change-how-we-assess-the-severity-of-third-party-vulnerabilities\/2\/33184#article","isPartOf":{"@id":"https:\/\/www.techopedia.com\/qualitative-vs-quantitative-time-to-change-how-we-assess-the-severity-of-third-party-vulnerabilities\/2\/33184"},"author":{"name":"Rami Sass","@id":"https:\/\/www.techopedia.com\/#\/schema\/person\/e66bbd6dd5d22b7952e1fa04a0542d25"},"headline":"Qualitative vs Quantitative: Time to Change How We Assess the Severity of Third-Party Vulnerabilities?","datePublished":"2018-01-31T00:00:00+00:00","dateModified":"2021-07-12T19:27:02+00:00","mainEntityOfPage":{"@id":"https:\/\/www.techopedia.com\/qualitative-vs-quantitative-time-to-change-how-we-assess-the-severity-of-third-party-vulnerabilities\/2\/33184"},"wordCount":1235,"commentCount":0,"publisher":{"@id":"https:\/\/www.techopedia.com\/#organization"},"image":{"@id":"https:\/\/www.techopedia.com\/qualitative-vs-quantitative-time-to-change-how-we-assess-the-severity-of-third-party-vulnerabilities\/2\/33184#primaryimage"},"thumbnailUrl":"https:\/\/www.techopedia.com\/wp-content\/uploads\/2023\/02\/word-biscuit-cookie-food-brochure-flyer-paper-poster-alphabet-ampersan-1.jpg","articleSection":"","inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.techopedia.com\/qualitative-vs-quantitative-time-to-change-how-we-assess-the-severity-of-third-party-vulnerabilities\/2\/33184#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.techopedia.com\/qualitative-vs-quantitative-time-to-change-how-we-assess-the-severity-of-third-party-vulnerabilities\/2\/33184","url":"https:\/\/www.techopedia.com\/qualitative-vs-quantitative-time-to-change-how-we-assess-the-severity-of-third-party-vulnerabilities\/2\/33184","name":"Qualitative vs Quantitative: Time to Change How We Assess the Severity of Third-Party Vulnerabilities? - Techopedia","isPartOf":{"@id":"https:\/\/www.techopedia.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.techopedia.com\/qualitative-vs-quantitative-time-to-change-how-we-assess-the-severity-of-third-party-vulnerabilities\/2\/33184#primaryimage"},"image":{"@id":"https:\/\/www.techopedia.com\/qualitative-vs-quantitative-time-to-change-how-we-assess-the-severity-of-third-party-vulnerabilities\/2\/33184#primaryimage"},"thumbnailUrl":"https:\/\/www.techopedia.com\/wp-content\/uploads\/2023\/02\/word-biscuit-cookie-food-brochure-flyer-paper-poster-alphabet-ampersan-1.jpg","datePublished":"2018-01-31T00:00:00+00:00","dateModified":"2021-07-12T19:27:02+00:00","description":"Everyone knows that a chain is only as strong as its weakest link, and the same goes for software - its security is only as strong as its weakest component.","breadcrumb":{"@id":"https:\/\/www.techopedia.com\/qualitative-vs-quantitative-time-to-change-how-we-assess-the-severity-of-third-party-vulnerabilities\/2\/33184#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.techopedia.com\/qualitative-vs-quantitative-time-to-change-how-we-assess-the-severity-of-third-party-vulnerabilities\/2\/33184"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.techopedia.com\/qualitative-vs-quantitative-time-to-change-how-we-assess-the-severity-of-third-party-vulnerabilities\/2\/33184#primaryimage","url":"https:\/\/www.techopedia.com\/wp-content\/uploads\/2023\/02\/word-biscuit-cookie-food-brochure-flyer-paper-poster-alphabet-ampersan-1.jpg","contentUrl":"https:\/\/www.techopedia.com\/wp-content\/uploads\/2023\/02\/word-biscuit-cookie-food-brochure-flyer-paper-poster-alphabet-ampersan-1.jpg","caption":"BrianAJackson\/iStockphoto"},{"@type":"BreadcrumbList","@id":"https:\/\/www.techopedia.com\/qualitative-vs-quantitative-time-to-change-how-we-assess-the-severity-of-third-party-vulnerabilities\/2\/33184#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.techopedia.com\/"},{"@type":"ListItem","position":2,"name":"Cybersecurity","item":"https:\/\/www.techopedia.com\/topic\/4\/cybersecurity"},{"@type":"ListItem","position":3,"name":"Qualitative vs Quantitative: Time to Change How We Assess the Severity of Third-Party Vulnerabilities?"}]},{"@type":"WebSite","@id":"https:\/\/www.techopedia.com\/#website","url":"https:\/\/www.techopedia.com\/","name":"Techopedia","description":"","publisher":{"@id":"https:\/\/www.techopedia.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.techopedia.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.techopedia.com\/#organization","name":"Techopedia","url":"https:\/\/www.techopedia.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.techopedia.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.techopedia.com\/wp-content\/uploads\/2023\/08\/techopedia-light.svg","contentUrl":"https:\/\/www.techopedia.com\/wp-content\/uploads\/2023\/08\/techopedia-light.svg","width":209,"height":37,"caption":"Techopedia"},"image":{"@id":"https:\/\/www.techopedia.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/techopedia\/","https:\/\/x.com\/techopedia","https:\/\/www.linkedin.com\/company\/techopedia\/","https:\/\/www.youtube.com\/c\/Techopedia"],"publishingPrinciples":"https:\/\/www.techopedia.com\/about\/editorial-policy","ownershipFundingInfo":"https:\/\/www.techopedia.com\/about"},{"@type":"Person","@id":"https:\/\/www.techopedia.com\/#\/schema\/person\/e66bbd6dd5d22b7952e1fa04a0542d25","name":"Rami Sass","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.techopedia.com\/#\/schema\/person\/image\/","url":"https:\/\/www.techopedia.com\/wp-content\/uploads\/2023\/02\/human-people-person-face-portrait-man-head.jpg","contentUrl":"https:\/\/www.techopedia.com\/wp-content\/uploads\/2023\/02\/human-people-person-face-portrait-man-head.jpg","caption":"Rami Sass"},"description":"Rami Sass is CEO and Co-Founder of WhiteSource, the leading open source security and compliance management platform. Rami is an experienced entrepreneur and executive with vast experience in defining innovative products, leading technology groups and growing companies from seed level to business maturity.","sameAs":["https:\/\/www.whitesourcesoftware.com\/","https:\/\/www.linkedin.com\/in\/sassrami\/"],"knowsAbout":["CEO and Co-Founder of WhiteSource"],"url":"https:\/\/www.techopedia.com\/contributors\/rami-sass"}]}},"modified_by":"Michael Simon","_links":{"self":[{"href":"https:\/\/www.techopedia.com\/wp-json\/wp\/v2\/posts\/49808"}],"collection":[{"href":"https:\/\/www.techopedia.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.techopedia.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.techopedia.com\/wp-json\/wp\/v2\/users\/7749"}],"replies":[{"embeddable":true,"href":"https:\/\/www.techopedia.com\/wp-json\/wp\/v2\/comments?post=49808"}],"version-history":[{"count":0,"href":"https:\/\/www.techopedia.com\/wp-json\/wp\/v2\/posts\/49808\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.techopedia.com\/wp-json\/wp\/v2\/media\/49809"}],"wp:attachment":[{"href":"https:\/\/www.techopedia.com\/wp-json\/wp\/v2\/media?parent=49808"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.techopedia.com\/wp-json\/wp\/v2\/categories?post=49808"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.techopedia.com\/wp-json\/wp\/v2\/tags?post=49808"},{"taxonomy":"category_partsoff","embeddable":true,"href":"https:\/\/www.techopedia.com\/wp-json\/wp\/v2\/category_partsoff?post=49808"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}