Vulnerability metrics explained
Nexpose uses 3 metrics to present vulnerability-based table data and Key Performances Indicators (KPIs):
- Vulnerability Findings
- Vulnerability Instances
A “vulnerability” is a unique, defined, and publicly disclosed software weakness. Each vulnerability is typically identified by an enumeration system, barring a few exceptions based on the type of software. Although multiple enumeration systems exist, the Common Vulnerabilities and Exposures (CVE) system is the most widely used and accepted system today.
A “vulnerability finding” is a determination that an asset is vulnerable to a vulnerability in some way. For example, if Nexpose shows 50 vulnerability findings for a single vulnerability, that means 50 assets in your network are vulnerable to this vulnerability.
A “vulnerability instance” refers to the specific condition on an asset that causes it to be vulnerable to a vulnerability. An asset can be vulnerable to the same vulnerability in multiple ways. Common causes for this scenario are:
- Having multiple versions of the same software installed on an asset at the same time; all of which are vulnerable to the same vulnerability
- Being vulnerable to the same vulnerability through multiple network ports
Vulnerability instances are the most granular view available for determining the level of risk in your environment.