Vulnerability Management

Software vulnerabilities are inevitable, we need to have a proper process to identity, evaluating, treating and reporting. In the software development phase Identifying vulnerability is crucial, on top of it identifying severity of vulnerability issue is very critical. As part of identifying activity, not all vulnerabilities will create huge problem, some of them will create huge problem. For example, if we do a code vulnerability scan it list lot of security issue, most of them will not create a problem. 

Vulnerability management encompasses of discovering, evaluating, prioritizing, remediating, and reporting of systems and software vulnerabilities. Our intentions should be remediated before attackers gets opportunity. vulnerability management is an important control for defending against various threats and minimizing.

Vulnerability management platform needs to identify common software security vulnerabilities of business and consumer threat. Few common vulnerabilities are

1.       OS command injection

2.       SQL injection

3.       Buffer overflow

4.       Missing data encryption

5.       Authentication and authorization

6.       Cross site script and

7.       URL re direction

Some of the reason for security vulnerabilities are as follows

1.       Unpatched system

2.       Security misconfiguration

3.       No proper security management solution in place

4.       Recent work from home challenges

Vulnerability Discovery

Finding real vulnerability in the system and software is a key phase in vulnerability management. There are lot of automated tools are available to scan application, network, and systems to identify weaknesses that could lead to vulnerable. Most of the vulnerability assessment tools can identify

• Unwanted open ports
• Software misconfiguration
• Program error that can lead to vulnerable

Following few widely used discovery methods

·         Host-based vulnerability scanners – This method is used to identify server, desktop and network vulnerabilities.  These tools mostly identify ports, configuration, and patch issue.  For example, we can use tools Nmap, Aircrack to scan and identity issues

 ·         Static application security testing (SAST) – This method is used to secure software by reviewing its source code to identify sources of vulnerabilities. SAST focuses on the code content of the application, scanning the source code and its components to identify potential security vulnerabilities. For example SonarQube,Rips, etc tools are available to find code issues

 ·         Dynamic application security testing (DAST) is a program that communicates with a web application through the web front-end, to identify potential security vulnerabilities and architectural weaknesses in the application. For example we can use Netsparker, OWASP Zed Attack tools

 ·         Interactive application security testing (IAST) analyzes code for security vulnerabilities while an application is run by an automated test, human tester, or any activity that interacts with application functionality. It reports vulnerabilities in real-time. For example we can use Netsparker, OWASP Zed Attack tools

 ·         Penetration testing attempts to exploit any vulnerabilities in a system to find out whether unauthorized access or other malicious activity is possible, and identify which flaws pose an actual threat to the application

Vulnerability Priority

As I said earlier prioritizing and identifying is the main exercise of vulnerability management. Common Vulnerability Scoring System (CVSS), which is a free and open industry standard for assessing the severity of security vulnerabilities. CVSS Scoring system provides a numerical (0-10) representation of the severity of an information security vulnerability.

CVSS consists of three metric groups: Base, Temporal, and Environmental. The Base metrics produce a score ranging from 0 to 10, which can then be modified by scoring the Temporal and Environmental metrics. A CVSS score is also represented as a vector string, a compressed textual representation of the values used to derive the score. Two common uses of CVSS are calculating the severity of vulnerabilities discovered on one's systems and as a factor in prioritization of vulnerability remediation activities. The National Vulnerability Database (NVD) provides CVSS scores for almost all known vulnerabilities.

 

Vulnerability Mitigation

Once vulnerability is identified and prioritized, ideal next step is to remediated before it becomes serious security threat. Remediating a vulnerability means fixing or eliminating it and dealing with the root cause of the vulnerability

Remediation mostly required system patching, software update or library update which cannot be done immediately. Applying system patch sometimes will cause an issue, so need to check test properly before we apply to production environment. Even some of the remediation will take time to develop and fix.

As remediation will take time in most of the cases, organization needs to have proper mitigation plan/strategy. If anyone of the system got infected solution is identify infected file/software path them properly as it will take item.  First switch off that system and taking out that system from network is immediate mitigation steps to avoid large infection.

If application is using vulnerable library, then proper remediation is library update/need to identify alternative library and fix the issue. Immediate mitigation might be build monitor and alert system when that library is used. In that alert is there is any vulnerable call you take an immediate action.