Welcome to our blog.

An IT match made in… Belgium! Aikido Security, a SaaS startup from Ghent, will provide application security to The Cronos Group, an e-business integrator headquartered in Kontich, with over 5,000 clients across their 570+ companies in the Benelux region. This strategic partnership is set to fortify The Cronos Group’s security posture and Aikido Security’s influence in the cybersecurity industry.

Stronger security posture with Aikido

The Cronos Group is now a new Aikido client. In this context, The Cronos Group is in the process of implementing Aikido’s security solutions across many of its software development companies. Why is this useful for The Cronos Group? Not only does it help establish a stronger security posture for each company in its network, but it also creates another great advantage. Aikido pulls it all together for Cronos, which will gain a more insightful and standardized global overview of the security posture of these companies than ever before.

Beyond that, Aikido entrusts The Cronos Group to become a true partner as well. In this context, Cronos will be able to provide Aikido to its customers so they, too, have the opportunity to benefit from Aikido’s services. On top of that, Cronos and Aikido actively work together to further improve the product features.

Aikido’s unique set of security tools and ability to reduce false positives will deliver efficiency to the development teams in The Cronos Group’s network of companies and customers. This means less disruption from unnecessary alerts leading to more focus on writing code. The Cronos Group aims to help companies find creative, high-quality, and profitable ways to make the most of potential new technologies. Therefore, this partnership aligns perfectly with its mission.

Aikido pulls it all together in a dedicated “Security Partner Portal”. Through this partner portal, The Cronos Group is able to gain a more insightful and standardized global overview of the security posture of their companies than ever before.

The Cronos Group and Aikido comment on their partnership

The Cronos Group can’t wait to get started with Aikido.

The Cronos Group has always been supporting innovation and entrepreneurship, including cyber security. We’re always on the lookout for partners to strengthen our alliances. Through Aikido, we want to enable our developers and clients to build in security from the first line of code. By combining automation with intelligence, they can focus on the business value while safeguarding their own scarce time and keeping the exposure to a minimum.
Jonas Buyle, Cronos Security

Meanwhile, what benefits does this new partnership bring to Aikido? "We're thrilled to welcome The Cronos Group to the Aikido Security family,” explains Aikido cofounder and CEO, Willem Delbare. “As both a customer and a reseller, The Cronos Group represents a key partnership in our mission to make managing your security posture simple. Our collaboration promises to provide unparalleled insights into the security posture of the portfolio of companies within The Cronos Group. Together, we aspire to elevate the standards of application security across the board."

About Aikido Security

Aikido Security is a developer-first software security platform. We scan your source code & cloud to show you which vulnerabilities are actually important to solve. Triaging is sped up by massively reducing false positives and making CVEs human-readable. Aikido makes it simple to strengthen your security posture to keep your product secure. And, it gives you back time to do what you do best: writing code.

About The Cronos Group

The Cronos Group is an e-business integrator delivering high-quality ICT solutions to enterprises and government entities in the Benelux region. The Cronos Group was founded by and for ICT technologists with the goal of helping them grow their careers and entrepreneurship. This mission expanded to include creative professionals in order to jointly design and implement creative and technologically leading solutions for its customers. Since its inception in 1991, The Cronos Group expanded from a one-person operation to a group of companies employing over 9000 professionals across 570+ companies.

It’s always great news when we hear about a customer’s delight when using Aikido Security. But, we don’t want to keep all the good stuff to ourselves! Let’s focus on Loctax, the first-ever collaborative tax governance platform for global in-house tax teams.

Loctax delivers its tax services to companies such as Wise, PedidosYa, Iba, Luxottica, and Trainline. For Loctax, it’s vitally important to go above and beyond to ensure the security and compliance of their environment and customer data.

Together, we improved their triaging speed by reducing false positives and irrelevant security alerts. But, we didn’t stop there. We also improved Loctax's security posture while it accelerated product development. Overall, the result has been saving valuable time and money. As Loctax reduces tax risk headaches for its customers, Aikido reduces security risks for Loctax.

The challenge: striking a balance between speed and security

Loctax faced a common dilemma. How could it balance rapid product development with uncompromising security? The pressure was on to deliver top-notch solutions for its customers. Meanwhile, Loctax also needed to safeguard sensitive tax data and stay compliant with the highest security standards. On top of that, they needed to do this with a small team while optimizing for cost.

However, Loctax encountered obstacles with its existing security solution. False positives were more abundant than snow in Alaska, consuming valuable time in triage and analysis work.

This is no surprise to us. In our recent consultations with SaaS CTOs, false positives ranked as the number two security flaw with their current security software choices. These CTOs also ranked eliminating false positives as the second most important activity to achieve strategic business outcomes. So it turns out that Loctax’s needs fit right in with what SaaS CTOs are telling us. And, let’s face it, false positives also desensitize you from looking at the things that really matter.

Meanwhile, overlapping findings from different tools created another roadblock on their path to being secure. The lack of tool integration made it challenging to get a central overview of real security priorities.

To top it all off, the subscription costs of the security solutions they were already using were surging due to rapid team growth. This fee-per-head pricing method was putting a strain on their security budget.

Put all this together, and it became clear to Loctax’s CTO and co-founder, Bart Van Remortele, that he needed to change the company’s approach. He decided to find new tools to combat these challenges and discovered Aikido Security.

Aikido Security delivers results for Loctax

Switching to Aikido Security’s product was a game-changing decision for Loctax and has brought many positive outcomes.

Auto Triage: the power of efficiency

Our auto triage feature emerged as a true black belt! It filtered out the noise and false positives that had been distracting. Not only that, but we also provide a custom vulnerability reachability engine. This checks if a vulnerable function is actually reachable.

With this pesky clutter cleared out and real vulnerabilities clearly identified and prioritized, Loctax's development team was able to become more efficient and productive. They boosted productivity by saving precious time that was previously lost to unnecessary investigations.

A unified dashboard: harmonizing security workflow

Aikido, the martial art, provides skills to defend yourself effectively while using the least amount of effort. Aikido Security applies this principle. For Loctax, we supplied a single dashboard that became the hub of security operations.

Integration into Loctax's existing tech stack was a breeze. Aikido offers a comprehensive view of all security issues without the headache of overlapping notifications. When critical security events arose, timely alerts popped into their relevant Slack channels. Therefore, with effortless integration into project management tools, Aikido smoothed out security task management.

Cost savings: 50%

Consolidating the security toolset proved to be a masterstroke. Consequently, Aikido Security's impact on Loctax's finances was significant. The result? A remarkable 50% reduction in security operations costs. Yes, you read that correctly - 50%! As Loctax's team continued to grow, its security expenses no longer created budget headaches. This left more resources for Loctax’s core mission: providing in-house tax teams with a new standard for tax management and operations.

Aikido Security helps defend your SaaS

Let’s be clear: there is pressure on SaaS companies to pursue first-class security, and Loctax is no different. But, it’s extremely hard for a team focused on developing a product to also manage the complexity of their whole security posture in-house. Our partnership with Loctax exemplifies the transformative power of Aikido Security for companies in this situation. Loctax can fully focus on collaborative tax management for in-house tax teams, and Aikido keeps it secure.

We have replaced our previous solution with Aikido due to its superior performance and effectiveness. - Bart Van Remortele, CTO and co-founder of Loctax

By embracing Aikido's solutions, Loctax optimized its security posture and eliminated false positives. This saved precious time and achieved remarkable cost efficiencies. Their development team's speed remained unshaken, and their security became stronger than ever.

Aikido Security helps defend your SaaS

Make your first tai-sabaki with Aikido by scanning your repos for free. In less than 2 minutes, you'll gain valuable insights into your security posture. Empower your organization, boost development, and embrace the peace of mind that comes with a solid security defense.

Download our Loctax customer case study.

GHENT, November 14th 2023

Aikido Security, the developer-first software security app for growing SaaS companies, today announces it has raised €5m in a Seed round co-led by Notion Capital and Connect Ventures; with investment from Inovia Capital Precede Fund I, led by partners Raif Jacobs and former Google CFO Patrick Pichette; as well as an impressive roster of angel investors including Christina Cacioppo, CEO of Vanta.

The investment will go towards developing the functionality of the software, in particular ensuring that Aikido’s user-experience and auto-triage is best in class, while keeping the product simple; hiring staff across the product, development, marketing and sales teams; and further growing the Aikido customer base, with a particular focus on solidifying and expanding its already strong foothold across Europe and North America.

As CEO & CTO of Aikido, Willem Delbare explains, “SaaS companies that are building their platform often ‘secure’ their new software by installing numerous scattered tools. This can generate a lot of noise for the developers and throw up a myriad of disparate ‘false positives’, which require attention, but pose no real threat. This causes a huge burden on the staff managing platform security. The problem is only exacerbated by growth -- which can happen quickly in SaaS -- creating huge headaches for the staff responsible for security.”

Delbare continues “Alternatively, if startups choose not to install these tools, they may instead adopt expensive security software solutions which only cover a few factors of application security. Companies are then left with huge gaps in their software’s security, despite their investment. Due to their cost, vulnerability scanners are mostly tailored to larger enterprises, with SME and mid-market companies left without a viable solution to their growing platform’s security.”

Aikido is on a mission to simplify SaaS security with its all-in-one tool that consolidates various application security features. Instead of disjointed solutions, this unified approach enhances control and significantly cuts down on false positives. So far, the company has saved over 1,500 developer working days that would otherwise be spent on false positives. Aikido ranks vulnerabilities by severity, ensuring critical issues are addressed first. Plus, all security data stays within the platform, ensuring safety regardless of staff changes and aiding in business continuity.

Delbare, continues, “Throughout my career I have built multiple SaaS startups, and wasted hundreds of hours piecing together a patchwork of tools needed to secure a new platform. In starting Aikido, I saw a better way to identify critical breaches whilst downgrading the distracting ‘non-issues’ that waste an engineer’s time. We are the only company in Europe doing this, demonstrating a renewed energy for startups in the continent. Our customers now include startups, as well as companies that have grown to over 300 developers - which has resulted in over 1000 total installs in just one year - a rarity in the world of new SaaS solutions. Looking forward, we want to out-do our competitors by offering a solution tailored to those who have yet to find a product that meets their needs.”

Kamil Mieczakowski, Partner at Notion Capital says, “As the pressure on small and mid-sized businesses mounts to demonstrate ever-increasing levels of cyber resilience, the landscape of security tools available to them continues to present challenges, characterized by fragmentation, complexity, and cost. Aikido provides a powerful yet easy-to-use end-to-end solution for code and cloud security, empowering any business to secure itself and its customers through a single tool capable of transforming every developer into a security expert. Despite being only one year old, the company is already scaling rapidly, and we're thrilled to support them on this exciting trajectory alongside our friends at Connect Ventures and an incredible group of angel investors and advisors.”

Pietro Bezza, Co-Founder and Managing Partner at Connect Ventures says, "In this new b2b software world, businesses seek SaaS products that combine efficacy with efficiency, value for money, simplicity and focus. We are in the era of the Great Bundle. Driven by the need for efficiency, customers are consolidating point solution software into full-stack software suites. Aikido all-in-one platform for software security fits extremely well with this new framework. We couldn’t be more thrilled to back Willem, Roeland and Felix in democratising access to the best security toolings for every company's size and budget."

Aikido offers the fastest way for a growing SaaS company to secure its platform. The application delivers swift, customer-led onboarding with an instant view of all the critical vulnerabilities to be solved - typically in only a few minutes - lending users the time to focus on core business functions. With world-beating noise reduction, Aikido is able to massively reduce the number of false positives. It adopts a ‘shift left’ approach, the goal of which is to prevent security issues from entering the code which means that if anything goes wrong during the development process, it can be fixed before any breach occurs or that code reaches production.

Designed for SaaS companies, Aikido is a crucial component for meeting critical industry compliance standards, including SOC2, ISO 27001, CIS, HIPAA, and the upcoming European NIS 2 Directive.

About Aikido Security
Aikido is an all-in-one solution that brings together multiple aspects of application security in one intuitive platform. This inclusive approach provides greater control for end users, drastically reducing the number of false positives during security checks. Aikido is founded by Willem Delbare (former founder of Teamleader and Officient), Roeland Delrue (former Showpad), and Felix Garriau (former nexxworks) and venture-backed by Notion Capital, Connect Ventures, and Syndicate One.

We’re proud to announce that Aikido Security recently attained ISO 27001:2022 certification. This is a big milestone for us and demonstrates our commitment to information security.

What is ISO 27001:2022?

ISO 27001 is a globally recognized standard for the establishment and certification of an Information Security Management System (ISMS). The 2022 version of this certification ensures that Aikido Security is aligned with current best practices in information security management. We specifically chose the 2022 version (over the 2013 & 2017 versions), as this new version focuses more on secure coding, threat detection, etc. These are items that we consider important and relevant to a software company.

Achieving ISO 27001:2022 compliance is a significant accomplishment for Aikido Security. It underscores our dedication to providing secure and reliable solutions to our clients.
Willem Delbare, CEO of Aikido Security

What motivated Aikido to pursue ISO 27001 certification?

We're a challenger in the security space and one of the first things we ask from new customers, is that they give us read access to their codebase. That's a big deal. And we understand - and agree - that's a big deal.

For customers to comfortably trust us with their codebase, they need to trust us as a company and trust our product. Becoming ISO27001 compliant is a huge leap forward in building and proving that trust.

What we learned on the path to ISO 27001 compliance

In a future blog post I’ll lay out my key learnings, but I want take this opportunity to share some brief insights about our journey.

Our ISO 27001:2022 journey

We got through the whole process in about six months. We had previously implemented SOC 2, so we already had many policies, documents and best practices in place. This allowed us to re-use and apply a lot of that to our ISO.

Because we firmly believe in using the right tool for the job, we took the opportunity to take a modern approach and used Vanta, which automates a lot of the work required to obtain ISO 27001.

Achieving ISO 27001:2022 demands patience and commitment. It's essential to surround yourself with reliable partners and gather knowledge beforehand.
Roeland Delrue, COO & CRO of Aikido Security

The high-level process

1. Internal audit (pre-audit)

You can think of the internal audit as a 'general rehearsal' or 'mock audit', to make sure you're ready to do the 'real' audits. The internal audit makes sure you didn't miss any obvious things that you wouldn't be able to remediate in the later stages.

Quick tip: Use a good internal or external pre-auditor. This really helps you get set up correctly. Unless you have relevant and proven experience in ISO, it’s probably best to hire an external pre-auditor. Leveraging their experience will prove really valuable.

2. Stage 1 audit

Stage 1 is largely a “tabletop audit” or documentation review
This audit consists of an extensive documentation review. An external ISO 27001 auditor reviews policies and procedures to ensure they meet the requirements of the ISO standard and the organization’s own Information Security Management System (ISMS).

3. Stage 2 audit

Stage 2 is a full-on system audit with lots of control testing
The auditor performs tests to check that the Information Security Management System (ISMS) was properly designed and implemented and is functioning correctly. The auditor will also evaluate the fairness and suitability of the organization’s controls to determine whether the controls have been implemented and are operating effectively to meet the ISO 27001 standard requirements.

4. Certification

After you’ve remediated or come up with an action plan for your non-conformities, you’re ready for validation. ISO 27001 non-conformities are categorized as minor, major, or opportunities for improvement (OFIs). It’s of course critical to show you’ve remediated or you can clearly show you’re on a path to remediate all major non-conformities.

And then... it’s time to get your certificate 🎉🥳

How long does it take to become ISO 27001 compliant?

You can’t do it in less than two months. And that assumes that you have everything ready to go, including a pentest and auditor.

Even then, you might need a few months to make sure you encounter enough information security events, as some processes can only take place when a certain event happens (e.g. onboarding or offboarding an employee).

You also have to show that you can remediate non-conformities and demonstrate that you’re able to collect evidence. This process involves identifying the event, logging and classifying it, and thoroughly documenting the information security event.

How much does becoming ISO 27001 compliant cost?

Depending on how in-depth the pre-audit and pentest go, the whole process will typically cost you USD 20,000-50,000.
You’ll need to pay for the following:

• Pre-auditor
• Pentest (you can leverage this from other compliancy tracks, e.g. if you’re already doing one for SOC 2)
• Compliance platform license (we definitely recommend using this)
• Auditor
• Vulnerability and/or malware scanner licenses (e.g. Aikido Security)

The cost depends greatly on multiple factors, key ones being:

• The size of your company (If you have lots of employees, processes, offices, developers,... audit costs dramatically increase)
• Cost of the pentest (USD 3-30k, depending on what type of pentest you do and who performs it)
• Depth of the audits
• Compliance platform (e.g. Vanta)

ISO 27001:2022 technical vulnerability management

On your own path to ISO27001:2022 certification? Aikido Security fulfills all technical vulnerability management needs for ISO 27001:2022 applications. We also sync with Compliance Monitoring Platforms (like Vanta) to ensure that your vulnerability information is always up to date. This means that you can rely on accurate risk assessment and efficient remediation.

Request our report

Feel free to request our own ISO 27001:2022 report directly in our trust center.

Losing sleep imagining bad actors infiltrating your awesome new startup’s code? Not anymore! Aikido Security has designed startup security to be affordable, efficient, and fill the needs of CTOs. Let’s have a look at how Aikido transformed StoryChief’s security posture.

We love hearing about the experiences of our customers and partners, especially around startup security. We recently spoke to StoryChief’s co-founder and CTO, Gregory Claeyssens, and we were thrilled to hear about his success story using Aikido Security. In this customer case, we'll break down that conversation to show you how Aikido improved StoryChief’s security posture. And, in doing so, how it allowed Gregory some work-life balance – aka, sleeping better at night! (CTOs, we bet that sounds nice!)

💡 BTW, don’t forget to download our StoryChief/Aikido customer case at the end of this blog post.

What is StoryChief?

Founded in 2017 and headquartered in Ghent, Belgium, StoryChief is a startup offering a user-friendly, all-in-one content marketing solution. StoryChief empowers marketing agencies and content teams to streamline their content production and management. Or, as StoryChief says, ‘End content chaos.’

StoryChief’s collaborative and intuitive platform includes content planning, distribution, scheduling, and AI writing tools. It’s gained significant attention. Notably, StoryChief has raised $5.7 million in funding. That’s a testament to its innovative approach to providing comprehensive content marketing solutions. Currently, StoryChief has a large dedicated development team. And, engagingly, their logo is a likable sloth!

💡 Learn more about StoryChief and what it offers by visiting its website: https://www.storychief.io.

Startup Security Challenges

As StoryChief grew, managing the security of its code base, repositories, and infrastructure became increasingly complex. Gregory and his team found themselves in a challenging position to stay ahead of potential security vulnerabilities.

Being behind the security curve: Managing its security posture became more and more worrying. Gregory worried that he might be missing or overlooking something crucial. That led to unnecessary stress and concerns.

Using incomplete and pricey security tools: StoryChief used security tools that provided some peace of mind. But, there were two main obstacles with these. They didn’t meet Gregory’s full set of security requirements and didn’t target CTO needs. Additionally, there was an unexpected change in pricing by their main security tool provider.

Notification overload: Notifications should be useful and relevant. However, using multiple security tools led to an overload of notifications. This led to three results:

1. Some notifications lacked contextual information and accuracy,
2. Overwhelming numbers of notifications became white noise and, therefore, ignorable (they simply lacked value).

In a nutshell, inefficiency drained valuable resources and time. But, despite these headwinds, Gregory managed security effectively and didn’t experience any major security incidents. However, he felt unsettled due to the limitations and costs of their existing tools. Subsequently, this prompted him to search for a better solution.

How Aikido Security helped improve StoryChief’s security posture

StoryChief's journey to a better security posture led them to Aikido Security, which also enabled StoryChief to transition from a reactive to a proactive security approach.

No nasty price tag: Startup security should be affordable, and Aikido has startup-friendly pricing. This offered StoryChief a cost-effective solution. At the same time, Aikido boosted their confidence in their security posture thanks to the next two benefits.

I’m a CTO, not a security engineer: The various tools StoryChief had been using mainly targeted security engineers. However, unlike those tools, Aikido tailors its features and rules to the specific needs of CTOs and developers. Aikido also supplies a continual stream of new rules and features specifically designed to help CTOs out.

Tell me when it’s important and relevant: One of Aikido’s key strengths and USPs is reducing false positives. Aikido’s targeted alerts, therefore, provide StoryChief with real, actionable insights rather than overwhelming and ignorable notifications.

Shared ownership: Not only that, Aikido’s notifications are automatically shared with the dev team via Slack, fostering transparency and shared responsibility for security. In this way, Aikido also provided a team-working result. It helped Gregory with his goal of creating a more team-focused effort to manage the security posture.

StoryChief CTO sums up Aikido’s impact

"Aikido was exactly what I was looking for for a long time - the combo of features, being startup-focused, and the entry price. Aikido's made the team aware of security issues. It's created a sense of shared responsibility, engaging everyone in maintaining our security posture."

Aikido as Startup Security Insurance

Aikido Security is like an insurance policy for StoryChief's security. It offers budgetability and precision. Aikido also offers a clear focus on what really matters for Gregory and his team. With Aikido, StoryChief has not only improved its security posture but also empowered the CTO’s team to take ownership and work transparently. Aikido provides the ordered consolidation and prioritization of information needed to address security concerns.

Most importantly, it has given Gregory a high level of confidence in the security of the product:

"There are always vulnerabilities left - that's normal - but with Aikido at least I know! I have a very good idea of our security posture."

Download the StoryChief customer case

Download your own copy of the StoryChief X Aikido Security customer case:

There’s a good chance you’ve heard “CVE”, which stands for Common Vulnerabilities and Exposures. CVEs get listed in a huge database that tracks known computer security issues. This provides easy access and reference. So, if you hear someone talking about a CVE – or a CVE record – that means that the security flaw is known and has already been cataloged.

The point of tracking CVEs is this: sharing and cataloging known security flaws allows cybersecurity folks to prioritize and deal with vulnerabilities while making cloud, code, and any other IT system more secure.

Basically, the CVE system provides a common language and reference point. But – and this is the big ‘but’ – bear in mind that my problem may not be your problem!

Who maintains the CVE database?

The MITRE corporation oversees the CVE system, and all CVE records are free for the public to search and use. The Cybersecurity and Infrastructure Security Agency (CISA) helps to provide funding. CVE entries are short and sweet – no deep technical data here. CVE entries also don’t comment on fixes, risks, and impacts. The nitty-gritty details are recorded in other databases. Some examples of those include the U.S. National Vulnerability Database (NVD) and CERT/CC Vulnerability Notes Database.

What does a CVE ID look like?

A CVE ID is like a serial number. When you look at a CVE entry, you'll see the CVE ID, which looks like this: "CVE-YYYY-#####".

What does a CVE record include?

A CVE record includes the following information:

• CVE ID
• Description
• References
• Assigning CNA
• Date Record Created

CVE records also include some legacy bits and bobs, which aren’t relevant for new entries: phase, votes, comments, proposed.

How do they find vulnerabilities and exposures?

Anyone can report them, from a tech company to a curious user. Some even offer rewards for finding and reporting these issues. If it's open-source software, it's all about community support.

Once a vulnerability is reported, a CNA gives it a CVE ID, writes a short description, and adds some references. Then, it's posted on the CVE website. Sometimes, they even get an ID before the issue goes public. Keeps the bad guys at bay.

Now, not every issue gets a CVE. Of course, there are rules! Three main criteria apply:

1. Independently fixable. This means the flaw is fixable, independent, and irrelevant to other bugs.
2. Acknowledged by the vendor. This means that the vendor acknowledges that the bug exists and that it could negatively affect security. Another option is to have a shared vulnerability report that includes a description of the bug’s negative impact and how it violates the system’s security policy.
3. Affects just one codebase. If it impacts more than one product, they get separate CVEs. The idea is to create CVE records in as much isolation as possible.

How can I find CVE records?

First of all, CVE information is free and available to the public. So, that’s good news.

The easiest way to find the newest CVEs is to follow @CVEnew on X. This feed is constantly updating with tweets about multiple new CVEs every day. Just yesterday I looked and there were over 80 new CVEs! If you follow, your feed will be full of them!

What about a more thorough way to find past CVE records? If you want all the records since 1999 or a particular year, or even search by topic, just go to CVE.org/Downloads. Bulk files are now in JSON 5.0 format and can be downloaded via a GitHub repository. (Note: the previous filing system will become unavailable on January 1, 2024.)

CVEdetails.com has an easy-to-use online version of the database - with daily updates!

How do you match your libraries to the right CVE?

When analyzing a vulnerability you want to retrieve the correct CVE. To make sure you have the right CVE, best practice is to check for the version number and package name. There are many tools, such as Trivy, that do this automatically for you. (Aikido leverages Trivy for some of this functionality.)

Common Vulnerability Scoring System - CVSS

The NVD and others use the Common Vulnerability Scoring System (CVSS), which determines the severity of a vulnerability or an exposure. It's like a report card for security issues, ranging from 0.0 (no big deal) to 10.0 (huge problem). So, each CVE entry has a CVSS score.

How is a CVSS score calculated?

The CVSS score is calculated with a formula based on vulnerability-based metrics. A CVSS score comes out of scores from these three areas: Base, Temporal, and Environmental. The Base score is obligatory and the starting point and has impact and exploitability subscores. Then, the Temporal score can be calculated from the Base. Next, the Environmental score can be calculated from the Temporal. These calculations lead to the overall CVSS score.

Something for formula geeks! Check out how the scoring system and CVSS calculator work. Find out what the calculations are and which precise metrics create each score. Attack vector! Attach complexity! Lots of fun!

What is the CVSS scoring scale?

The current (v3.1) CVSS scoring scale includes five categories:

• 9.0 - 10.0 = Critical
• 7.0 - 8.9 = High
• 4.0 - 6.9 = Medium
• 0.1 - 3.9 = Low
• 0.0 = None

Download a copy of the full CVSS scoring system user’s guide.

How do I find a CVSS score for a CVE record?

This is easy! When you are in the online database each CVE record page has a link to the NVD’s CVSS score. Just click and go! For example, using CVE-2023-40033 from earlier in this post, when we click on “CVSS scores” (top right-hand corner of the record) we learn that this vulnerability has a score of 7.1 (High).

What is a CWE?

Common Weakness Enumeration, or CWE, is a list of common software and hardware weaknesses. CWE is a community-developed resource and provides standardization for the type and scope of weaknesses.

To quote MITRE, ‘the main goal of CWE is to stop vulnerabilities at the source ... to eliminate the most common mistakes before products are delivered.’ CWE also gives devs a framework for discussion and action against security threats while mapping to vulnerability databases (e.g. CVE).

How is that different from CVE? CWE focuses on the underlying weakness that might lead to a vulnerability. Meanwhile, CVE describes actual vulnerabilities. Like CVE, CWE also has severity scoring via CWSS and CWRAF.

Have a look at the top 25 most dangerous CWEs for 2023.

What can I do to maintain a strong security posture?

Don’t blindly follow the CVSS scores to set your security priorities

Are all CVEs a problem for you? Nope. These are information, but like a lot of information, not all CVEs will be relevant to your context. And, even for those that may seem to be, there are plenty of situations where even CVEs with high CVSS scores may not be relevant or a risk to you:

1. Level of business impact: A vulnerability, despite having a high CVSS score, does not pose a significant risk to the organization's specific business operations, customer data, or critical system. Or, a risk assessment or other tool determines that other factors (e.g. a function isn’t reachable) outweigh the CVSS score in importance.
2. Unique Systems: When using custom or unique software, CVSS scores may not accurately reflect the actual risk associated with vulnerabilities in specific systems.
3. Resource limitations: You'd love to fix every high-scoring CVSS vulnerability, but you've got to be realistic. Prioritize before pouring tons of resources into something that's not cost-effective.
4. Already Covered: You may already have solid defenses in place. Even if a vulnerability scores high, you might decide it's not worth the hype if you've already got safeguards that keep it in check.
5. CWE awareness: Stay aware of CWEs that might affect what you are delivering.

Get a vulnerability scanner

There are also new platforms popping up that help you spot emerging trends – check out Fletch, which specializes in awareness speed and contextualizing threats. Nessus scans for over 59,000 CVEs. Nexpose uses its own scoring system which takes into account the age of the vulnerabilities and what sort of patches and remedies are already in place. Nmap and OpenVAS are open-source vulnerability scanners.

Meanwhile, why not test Aikido Security to monitor and improve your overall security posture, too? Try out Aikido for free!

Get ahead of the CurVE

The thing about CVEs is that they are about the PAST, i.e. vulnerabilities and exposures that have already happened. That means the bad actors sometimes have time to do damage before you have time to react. In addition to using a vulnerability scanner, make sure you take steps to manage your risk. These can include making sure patches are up to date and carrying out penetration tests.

TL;DR sec provides a good breakdown of the software supply chain and, more importantly, how to secure each stage.

Additionally, we like to keep Aikido users (free and paying) and our LinkedIn followers in the loop with relevant LI posts. For example, here’s a recent post we’ve put up about CVE-2023-4911 – the (not-so-funny) Looney Tunables bug.

Check your code for the most common exploits

Use the OWASP Top 10 and CIS compliance benchmarks to check your code. These standard tools help you deal with the most common weaknesses (OWASP) and baseline configurations for cybersecurity (CIS).

Check out how you score directly in Aikido: CIS Report / OWASP Top 10 Report