Interview › Security & DevSecOps
What is CVSS, and what are its limitations for prioritisation? [Intermediate]
Answer
CVSS is the Common Vulnerability Scoring System. It provides a standardized severity score based on exploitability and impact characteristics, but its limitation is that it does not fully account for local context such as asset exposure, business value, compensating controls, or current attacker activity.
Technical explanation
CVSS is useful for common language and initial severity buckets.
It can over-prioritize theoretically severe issues that are unreachable in your environment.
It can under-prioritize lower-score issues that are exposed, actively exploited, or chained with privileges and sensitive data.
Hands-on example
Hands-on: do not sort a backlog only by CVSS. Build a risk score that also includes KEV, EPSS, public exposure, running status, workload criticality, data sensitivity, exploit maturity, and fix availability.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Security & DevSecOps interview questions
- What is DevSecOps, and how does it differ from traditional security gating at the end? [Basic]
- What does shift-left security mean, and why does it matter? [Basic]
- What is the difference between SAST, DAST, IAST, and SCA? [Basic]
- When in the pipeline does each of SAST, DAST, and SCA run? [Basic]
- What is the difference between SAST and DAST, and what does each catch and miss? [Basic]
- What is software composition analysis (SCA), and why does it matter for dependencies? [Basic]
- What is SonarQube, and what does it analyse? [Basic]
- Is SonarQube primarily SAST, code quality, or both? [Basic]