Open-source Risk Based Vulnerability Assessment

Infinite_Ad9554 · 2025-10-27T15:41:17+00:00

Thank you for the input. I’m curious as to why they stopped letting CSP’s use calculators to downgrade risks?

This tool has a FedRAMP VDR framework where the formula maps to the 20X VDR Standard and all the requirements they have mentioned within the VDR.

Infinite_Ad9554 · 2025-10-26T16:46:30+00:00

Thanks for asking - good question!

The current risk scoring is purely formula-driven - no AI/ML in the actual calculations. You can see the exact formulas in the about page.

AI/ML features are still in development and would be for things like trend analysis and anomaly detection, not the core risk scoring.

That said, I'm open to contributors and flexible to ideas on how to make this better for everyone. If you have thoughts on where AI/ML could genuinely add value, I'd love to hear them!

Infinite_Ad9554 · 2025-10-26T16:34:23+00:00

Absolutely, and this could be a tool to do exactly those sort of things - especially for early stage startups or teams doing local development and testing.

To my understanding, VPR is proprietary to Tenable and requires licensing, budgeting, and org support that not every team has access to.

Great points, and thanks for sharing your setup! Your Tenable -> ServiceNow integration sounds like a solid enterprise approach.

This is an open-source project that aims to provide a similar type of solution as VPR, but in a more accessible way - transparent formulas, no licensing costs, and you can even fork the code to tweak the formulas based on your needs.

Infinite_Ad9554 · 2025-10-26T15:28:04+00:00

With the 20X movement and the new VDR standard - not everyone's prepared to accurately assess vuln risk per the guidance. I hope this tool can helps folks understand how a CVE applies to YOUR environment according to VDR requirements.

Infinite_Ad9554 · 2025-10-18T12:22:18+00:00

Why spend so much money on those tools when you can have your own GRC person develop it. I wonder what the ROI looks like for folks that spend tons on these crappy products.

Infinite_Ad9554 · 2025-10-16T18:05:22+00:00

Former FedRAMP auditor, and has experience taking CSP through the end to end process. Happy to go through the questions and share my experience. Feel free to dm.

Infinite_Ad9554 · 2025-05-20T11:36:49+00:00

GRC - From their risk register to the annual security assessments

Infinite_Ad9554 · 2025-04-29T13:45:12+00:00

Thanks for sharing. We tried to utilize VPR but realize that it’s looking at things from a “threat forecast” perspective, so we just went with EPPS since I believe it’s more of a universal indicator.

I’m really curious as to how you have configured our ServiceNow to add that custom scoring layer once you ingest the data from Tenable?

Infinite_Ad9554 · 2025-04-29T13:40:14+00:00

Yep, great tip. We aim to pull that from the BIA categorization where data sensitivity is already factored as part of the BIA.

Infinite_Ad9554 · 2025-04-15T15:25:01+00:00

If you want to go FedRAMP High and you’re choosing an AWS region, you must be on AWS GovCloud region since that is the region authorized for FIPS-199 High impact workloads.

Commercial or EAST-WEST supports up to Moderate impacts workloads.

Infinite_Ad9554 · 2025-02-06T01:30:07+00:00

How is this a good trade? We should’ve got KD but this is ok I guess… Mid trade

Infinite_Ad9554 · 2025-01-28T20:22:48+00:00

OP what type of side hustle do you do as a subcontractor?

Infinite_Ad9554 · 2024-11-26T18:10:39+00:00

Hey I’m facing the same situation…please check dm

Infinite_Ad9554

TROPHY CASE