好的,我现在要帮用户总结这篇文章的内容。用户的要求是用中文,控制在100字以内,不需要特定的开头,直接写描述。 首先,我需要仔细阅读文章内容。文章主要讨论了DevSecOps工作流中团队如何决定优先修复哪些漏洞的问题。理论上,应该立即修复关键漏洞,但实际情况中,由于各种扫描工具产生的大量发现(如依赖漏洞、SAST警报、秘密扫描、容器问题等),团队往往只能优先处理看起来可被利用的关键漏洞,接着处理高危漏洞,其余则搁置。时间一久,积压的问题变得难以处理。 接下来,我需要将这些要点浓缩到100字以内。要涵盖问题的本质:优先级决策的困难、理论与实际的差距、常见做法(如处理关键和高危漏洞)、以及结果(大量未解决的问题)。同时,提到不同团队可能采取的不同方法,比如基于CVSS评分、可利用性、依赖性等。 最后,确保语言简洁明了,直接描述内容,不使用“文章总结”之类的开头。 </think> 文章探讨了DevSecOps工作流中团队如何决定修复漏洞的优先级。理论上应立即修复关键漏洞,但实践中大量发现(如依赖漏洞、SAST警报等)使团队只能优先处理可被利用的关键和高危漏洞,其余搁置。时间一久积压严重。不同团队可能基于CVSS评分、可利用性或依赖性等方法处理。 2026-3-12 17:18:56 Author: www.reddit.com(查看原文) 阅读量:1 收藏
Something I've always been curious about when it comes to DevSecOps workflows:
How do teams realistically decide which vulnerabilities to fix first?
In theory the answer is obvious — fix the critical stuff immediately.
But in practice most pipelines end up producing a lot of findings. Dependency vulnerabilities, SAST alerts, secrets scans, container issues… it adds up pretty quickly.
What I’ve seen on a few projects is that teams end up doing something like:
-
fix the critical ones if they look exploitable
-
maybe tackle some highs if there’s time
-
everything else just sits in the backlog
And after a few months you suddenly have hundreds of findings across repos and nobody really knows where to start.
I’m curious how other teams handle this in reality.
Do you:
• strictly follow CVSS scores
• prioritize based on exploitability / reachability
• focus on dependencies first
• just fix things as they come up
Or does it mostly become security debt that gets cleaned up occasionally?
Would be interesting to hear how different teams approach this.
如有侵权请联系:admin#unsafe.sh