The Cisco Vulnerability Management Platform (formerly Kenna Security) has the benefit of being vendor agnostic.  This allows our customers to ingest asset & vulnerability data from multiple sources. However, it’s important to note that the formatting & features from your scanner may not all be “equally” appropriate for your Risk-based VM program. 

One such popular discussion point has been “Patch Supersedence”.  As you may know, Supersedence is when a new fix is published for a specific CVE (or comparable ID) that ALSO addresses previously identified CVE(s) from a prior release. 

At its core, Supersedence makes patching easier to report and manage.  Unfortunately, this does not align with reporting vulnerability risk as it has the potential of batch Risk Suppression. 

The chance of risk suppression is caused by how vulnerabilities are grouped by the scanner. If the non-superseded vulnerability in the supersedence chain does not list ALL the CVEs addressed by that patch then the superseded vulnerabilities will drop off the report. While the non-superseded vulnerability may have a risk score of 34, it could be suppressing a superseded vulnerability with a risk score of 85. 

If a “Patch Supersedence” feature is enabled and brought into Cisco Vulnerability Management; this could filter active vulnerabilities that hold the potential to be actively exploited.  This creates an essential “blind spot” which can adversely impact your Kenna Risk Score and overall reporting. 

Do you currently have a “Supersedence” feature enabled on your scanner(s)?  If so, you may want to ask your Customer Success team about this subject.  CX is happy to share real-time examples of how this could impact your security stature; and, most importantly, how to avoid it!