I've spoken in the past about prioritized patching and the operational constraints. Assuming you actually want to do some prioritization, how do you go about it?
Continuing in the data-driven security realm, I've been pushing my vulnerability management tools to their limit. One of the tools we use is Nessus for internal vulnerability scanning. I've been a Nessus fan since Y2K days and still love it now. One problem with all vulnerability scanners (and reports) is that their risk ranking tools are clunky, sometime inappropriate, and occasionally over-inflated.
Most of them use CVSS, which is a nice standard though quite limited. And do remember, "Vulnerability != risk." As you may have read before, I do a wide variety of types of internal vulnerability scanning and then synthesize the results.
What I want to do is suck up and analyze all this scanning data, and then apply localized relevant data, and then put this through a risk model of my own choosing. There is really no such beast, though some commercial services are very close and becoming quite useful. And this open source tool is also pretty good too.
So in the spirit of "Make your own security tools", I started working on risk scoring tool to use with Nessus and some of my other in-house scanning tools.
I wish I could share code with you, but this is developed on my employer's dime and is used internally... so no. The good news, it wasn't hard to do and I think I can walk you through the algorithm and the heavy lifting.
Let's start with the Nessus data itself. You can export everything you need in a handy XML file which can be read natively by a variety of tools.
My tool-du-jour is Python, so that's what I'm using. The file itself is broken into two major pieces: information about the scan and discovered vulnerabilities. I'll want both.
The information about the scan gives me when the scan was done (so I can save and compare subsequent scans) as well as which vulnerabilities were tested. This is critical because I can see what hosts were tested for what. Then I can mark off a vulnerability that was previously found when it no longer shows up (it was fixed!). I can also get data about the vulnerability itself, such as when it was discovered. This is useful in my risk model because we've seen that old vulnerabilities are worse than new ones. I also get from Nessus whether a public exploit is available for that vulnerability... and that info is in the exported XML for the scooping. This is extremely valuable for risk modelling, as these kinds of vulnerabilities have been shown to be far more worrisome.