How do you identify, categorize, and prioritize vulnerabilities using frameworks like CVSS in your security work at SAS?