Interview › Security & DevSecOps
What is the difference between a CVE, a CVSS score, and exploitability (EPSS/KEV)? [Basic]
Answer
A CVE is an identifier for a publicly known vulnerability. CVSS is a severity scoring system that estimates technical impact. EPSS estimates likelihood of exploitation in the wild, and CISA KEV lists vulnerabilities known to be actively exploited. Together they help prioritize, but none should be used alone.
Technical explanation
CVE answers 'what vulnerability is this?'.
CVSS answers 'how severe could it be technically?'.
EPSS/KEV answer 'how likely or confirmed is exploitation?', which is often more useful for remediation urgency.
Hands-on example
Example: triage a CVE by checking CVSS, EPSS percentile/probability, KEV status, internet exposure, asset criticality, compensating controls, and available patch. A KEV-listed vulnerability on an exposed production system should get emergency priority.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Security & DevSecOps interview questions
- What is DevSecOps, and how does it differ from traditional security gating at the end? [Basic]
- What does shift-left security mean, and why does it matter? [Basic]
- What is the difference between SAST, DAST, IAST, and SCA? [Basic]
- When in the pipeline does each of SAST, DAST, and SCA run? [Basic]
- What is the difference between SAST and DAST, and what does each catch and miss? [Basic]
- What is software composition analysis (SCA), and why does it matter for dependencies? [Basic]
- What is SonarQube, and what does it analyse? [Basic]
- Is SonarQube primarily SAST, code quality, or both? [Basic]