No system is perfectly secure, as proven by software analysis firm CAST, which reviewed 278 million lines of code and discovered more than 1.3 million vulnerabilities caused by errors and poor code practices. Because of this, organisations should have a plan of action (known as Vulnerability Management) on how to handle these vulnerabilities.
What Is Vulnerability Management?
Vulnerability Management is typically defined as an ongoing process to identify, evaluate, treat, and report vulnerabilities across systems and endpoints. Alongside other security strategies, a vulnerability management system is a vital tool used to help manage potential threats.
The Differences Between Vulnerabilities, Risks, and Threats
There are multiple ways to define a potential security issue. However, these are the typical definitions that most organisations follow:
- Vulnerabilities are a weakness of an asset (or a group of assets) that one or more threats can exploit.
- Threats are something that can exploit a vulnerability but have not been exploited yet.
- Risks occur once a threat has exploited a vulnerability. This is the damage (or potential damage) caused by the exploit.
Each of these issues poses a problem on its own, which is why organisations should look towards implementing a vulnerability management system. This would allow them to keep track of these potential issues and have a plan to handle any critical security issues.
How to Implement a Vulnerability Management System and Process
Vulnerabilities are commonplace in today's development world, and each one can introduce some form of risk if exploited. Having a detailed process to form a vulnerability management lifecycle will allow an organisation to assess their IT landscape better and develop action plans to resolve vulnerabilities.
1. Assess For Vulnerabilities
An organisation should routinely perform vulnerability assessments across its systems, preferably on a monthly basis. Vulnerabilities are reported constantly, and it's essential to keep up with these through vulnerability management tools.
Automating your security workflow is a key concept in modern shift left development and should be implemented in every software development lifecycle. Creating an automated vulnerability assessment system can identify weaknesses across an entire organisation, assessing them for potential issues while providing critical information for any known vulnerabilities.
Creating a team that can regularly assess and organise a plan to solve vulnerabilities can lead to more effective prevention and better results overall. This group can best evaluate these issues and formulate a strategy that works best for the organisation.
2. Prioritise Fixes For Vulnerabilities
Your organisation should have a firm idea of all the vulnerabilities within your systems at this stage. With this information, your team should be utilising the Common Vulnerability Scoring System (CVSS) to find the numeric score for each vulnerability based on individual severity.
Once this has been done, a team can choose to place it in one of three categories:
- Fix any issues that have solutions, whether from pre-existing software patches or mitigating the issue until resolved. Teams should prioritise these for the next step.
- Track issues that are not being resolved currently, regardless of the reason. Teams should document all vulnerabilities that aren't getting an immediate fix and notating why. This helps for future reviews and to assess threats better.
- Investigate issues that don't fall into the other two categories. These should be temporary statuses while the vulnerability is investigated to find an optimal solution or a potential false positive.
Vulnerabilities can be prioritised to better formulate a plan of attack, weighing the impact and cost to fix some of these issues. In most cases, an organisation will find more problems than it can afford to fix. This is where senior management should step in and prioritise what can be fixed now, to reduce business risks.
3. Fix Vulnerabilities
Now that you have a list of vulnerabilities, your team should be put into action to resolve them. Documentation is key here, as your organisation should notate any changes and document vulnerabilities that aren't being fixed.
4. Verify Vulnerabilities Are Resolved
Once all fixes have been deployed for this portion of your vulnerability management lifecycle, it's time to reassess and assure that the changes were successful. Taking a step back to confirm these vulnerabilities have been resolved will allow your team to validate their work. This also provides an opportunity to document any new vulnerabilities that may arise.
5. Reporting
After we've finished these steps, it's time to formulate a report. This allows executives and other IT personnel to understand the current status of systems to have a summary of the IT landscape. Comparing this new report to the previous scan can help form metrics to track and improve for the next cycle.
Although no system is entirely secure, we’ve learned that Vulnerability Management helps to mitigate risks with a step-by-step process that allows organisations to identify and fix weaknesses within their systems.
WHO IS ULESKA?
Uleska helps security and development teams manage application security at scale by automating and orchestrating their preferred security tools within CI/CD.
With Uleska, teams can confidently start an AppSec program using open-source, commercial, and custom tools and then quickly change, add or scale tools as the technology and business needs evolve. Uleska also brings speed and scale when integrating into development tools, and reporting of metrics and risk.
By bringing security, DevOps and development teams together, we help reduce manual tasks so application security takes less time, cost and can scale, allowing teams to focus resources on the issues and metrics that matter.
