Cloud security provider Lacework has added a new vulnerability risk management capability to its cloud-native application protection (CNAPP) offering.The SaaS capability will combine active package detection, attack path analysis, and in-house data on active exploits to generate personalized vulnerability risk scores.\u201cLacework takes a risk-based approach that goes beyond a common vulnerability scoring system (CVSS) and looks at each customer\u2019s unique environment, to figure out what packages are active, whether that host is exposed to the internet, whether there are exploits in the wild, etc.,\u201d said Nolan Karpinski, director of product management at Lacework. \u201cCVSS scores are very generic and, at times, do not pertain to every context, meaning it may or may not be bad for your environment.\u201dScoring is based on contextual parametersLacework\u2019s vulnerability scoring takes into account the exposure of affected environments to the internet, whether the packages are being used, and whether they have already been exploited in the wild. Customers can tweak the weightage of these factors to align with their internal security guidelines and prioritize patching based on the scores.Additionally, the scoring focuses on workflow context received from the cloud control panel which indicates if the workload is being actively used in a private environment, production environment, development system, or a business-critical process, according to Karpinski.\u201cThese are very important contextual considerations,\u201d said Frank Dickson, an analyst at IDC. \u201cSuppose you have a CVS scoring of 9.8 on one vulnerability and of 7 on another. What contextual scoring will do is, maybe rank the 9.8 down a little because it\u2019s not so exposed to the internet or doesn\u2019t have an exploit yet. The one with a score of 7 can still be critical with either or both of those factors being high.\u201dLacework\u2019s \u201cactive vulnerability detection,\u201d which provides visibility into the actual packages being used by security teams can also eliminate the added workload with software bloats, according to Karpinski.Vulnerability scan adds extended attack path analysisWith the new capability, Lacework claims the discovery of attack paths to Kubernetes-based applications, including internet-exposed containers and open ports, to allow security teams to communicate context-based, Kubernetes-related exposures to developers.\u201cKubernetes is an orchestration with containers, and containers can range in architecture from a monolithic model to a combination of micro-services. This makes the Kubernetes all complex, because instead of looking into just one application, you may have to get into how thousands of containers interact with each other,\u201d Dickson said. \u201cIncluding the Kubernetes piece in the attack path analysis will really expand visibility into application packages and enable prioritization.\u201dThe new capability will power the platform dashboard with a \u201ctop risk\u201d dropdown, providing visibility into risks across multiple domains, secrets, and attack paths to critical assets.With the new risk-based vulnerability scores, Lacework claims it can help reduce 90% of vulnerability noise to help zero in on the most critical issues.The capability is already available to the public through Lacework\u2019s CNAPP for no added price on the subscription.