Vulnerability Management: Process and Tools
In this blog post, we describe the key phases of the vulnerability management process and the vulnerability management tools that are used to facilitate and optimize the process.
What Is Vulnerability Management?
Vulnerability management is a strategic, ongoing process that minimizes an organization’s exposure to cybersecurity threats. In larger organizations, vulnerability management typically takes place across multiple teams. Security team is responsible for defining a disciplined set of vulnerability management best practices and procedures as well as continuous identification and prioritization of vulnerabilities. Operations and development teams are tasked with remediating the discovered vulnerabilities.
What Is a Vulnerability?
Vulnerability is a configuration or coding flaw that exposes a network and its connected assets to a threat that aims to steal data and/or disturb or shut down backend or public-facing applications. A vulnerability is any attack surface through which threat actors can gain unauthorized access to systems or data.
Often multiple layers of vulnerability are exploited to mount an attack, with vulnerabilities in public-facing assets serving as a gateway to vulnerabilities in assets behind the organization’s firewall.
Why Is Vulnerability Management Important?
The direct and indirect costs of successfully exploited vulnerabilities are very high, and vulnerability management has become a business-critical KPI. Employees, customers, suppliers, and partners have come to expect an organization’s systems to be highly available and have little tolerance for the slowdowns or downtime that can result from cybersecurity attacks.
According to the U.S. government’s National Vulnerability Database (NVD), the number of reported vulnerabilities in 2020 was about the same as 2019: ~17,000, which is a formidable data point in and of itself. The vulnerability landscape is further complicated by the growing sophistication of common attack approaches such as phishing, malware, and ransomware. And as many as 98% of cyberattacks today rely on at least some form of social engineering, which is very difficult to control, since even IT professionals can fall victim to these manipulations.
The Vulnerability Management Process
The vulnerability management life cycle is comprised of four main types of activities:
- Identification: The organization’s environment is continuously scanned against one or more databases of known vulnerabilities to identify all vulnerable assets. Different types of scanners are deployed depending on the product life cycle stage and the type of environment (on-premises, cloud, hybrid). Thus, for example vulnerability scanners in the development stage are more akin to testing tools while vulnerability scanners in the production stage must provide real-time and continuous monitoring.
- Prioritization: At any given point in time, an enterprise or mid-sized business will be managing tens of thousands of vulnerability instances (i.e., vulnerabilities multiplied by the number of assets affected). In order to optimize remediation efforts, vulnerabilities must be prioritized based on the risk that they pose to the organization. Vulnerability databases typically assign a technical severity score and a good vulnerability management solution will fine-tune that score based on the organization’s specific IT and business requirements.
- Treatment: The prioritized vulnerabilities now need to be neutralized in some way. Active remediation involves either applying a patch to third-party software or fixing flawed code in proprietary applications. Other possible treatments include workarounds (such as a configuration change) or compensating controls (such as blocking a port). In some cases the optimal treatment is to accept the vulnerability, with the understanding that the vulnerability does not pose a real security threat to the organization.
- Verification and reporting: The vulnerability management team must close the loop by verifying that the treatment activity was indeed carried out and has neutralized the vulnerability. This is not as easy as it might seem, given the fact that so many teams—each with its own toolset—are involved. In addition, it is important that all the different steps in the vulnerability management process are documented for both compliance purposes as well as for ongoing assessment of the organization’s vulnerability management program.
What Is the Difference Between Vulnerability Management and Vulnerability Assessment?
Vulnerability assessment is one part of the organization’s overall vulnerability management program. With the goal of vulnerability management being the reduction of cybersecurity risk to a minimum, vulnerability assessment focuses on gaining insight into the efficacy of the organization’s vulnerability management processes and procedures.
Penetration testing, for example, carries out simulated attacks on the organization’s applications and network to assess their vulnerability in the face of real-life exploits. If penetration and other automated vulnerability assessment tests generate consistently poor results, the organization needs to rethink and perhaps retool its vulnerability management solution.
Vulnerability Management Tools
Just as it is far less costly in terms of time, money, and brand damage to fix bugs before an application or service is deployed into production, it is advantageous to find and remediate vulnerabilities as early as possible. Vulnerability management should be part of a secure software development life cycle (SSDLC) approach whereby security is built into software products from the earliest design, development, and testing phases.
More than 80% of all vulnerabilities are found in application code. The Open Web Application Security Project (OWASP) is a non-profit global community that encourages developers to incorporate secure coding best practices from the earliest product life cycle stages. It is best known for its list of the top ten vulnerabilities that pose the greatest cybersecurity threat to web applications. The OWASP Top 10 is an important guideline for security-minded developers.
In this section, we look at some of the other tools and services that help DevSecOps teams implement SSDLC-based vulnerability management.
Vulnerability scanning is carried out in development and production environments to continuously monitor applications, code repositories, servers, and networks for known vulnerabilities.
Static and dynamic application security testing (SAST and DAST) tools are the two main types of scanners that are used to test pre-production source code for vulnerabilities:
- SAST: These tools scan non-compiled source code and its related dependencies, using a predefined set of rules to detect issues and vulnerabilities and mark their exact location. These white-box testing tools integrate well into CI/CD pipelines.
- DAST: These tools require working code and monitor the inputs and outputs in order to detect vulnerabilities.
- Automatically discover open-source components and all their dependencies and monitor them for vulnerabilities, throughout the product life cycle.
- Promptly take action to lock out attackers in all the instances in the organization’s environment that are affected by an identified vulnerability.
- At all stages of the product life cycle, alert developers to the exact location of identified open-source vulnerabilities so that remediation can take place quickly and easily.
2. Vulnerability Databases
Vulnerability scanners require knowledge of known vulnerabilities in order to identify and provide an initial prioritization of vulnerabilities in the organization’s environment. There are several well-known public vulnerability databases and standards that vulnerability scanners rely on, including:
- Common Vulnerabilities and Exposures (CVE): Provides “…an identification number, description, and at least one public reference for publicly known cybersecurity vulnerabilities.” Launched in 1999, CVE is actually more of a dictionary than a database, and is a standardized resource for other tools and services to track and evaluate vulnerabilities.
- National Vulnerability Database (NVD): A U.S. government repository of standardized vulnerability management data, including impact metrics such as CVSS (see below). It uses CVE as one of its inputs.
- Common Vulnerability Scoring System (CVSS): An open framework that provides standardized numerical scores regarding the characteristics and severity of a vulnerability. The score is derived from a mix of three metric groups: Base, for constant, intrinsic characteristics; Temporal, for characteristics that change over time; and Environmental, for characteristics that change across environments.
There are also vulnerability databases that are maintained by third-party vendors, such as Snyk’s Vulnerability Database, which uses numerous sources in addition to the public services described above. It is also curated by a dedicated Security Research Team. As a result, it exposes many vulnerabilities before they are added to public databases—for significantly faster detection and correction.
3. Vulnerability Management Solutions
Vulnerability management solutions are platforms that help optimize and automate the vulnerability management process in general, and the treatment process in particular. These solutions help fine-tune vulnerability prioritization as well as choose the right solution (Remember, it’s not just about deploying patches.), automate the remediation process, and provide a single source of vulnerability management truth across the enterprise.
Snyk is a developer-centric end-to-end vulnerability management solution for cloud-native applications. It integrates with developer frameworks to help find, prioritize, and fix vulnerabilities across the cloud-native application stack, including open-source components, during all phases of the development life cycle.
Vulnerability Management FAQ
Why do we need vulnerability management?
Vulnerability management is a business-critical requirement in order to meet regulator, employee, partner, and customer expectations regarding business continuity and data loss protection.
What is enterprise vulnerability management?
Enterprise vulnerability management is a disciplined and scalable set of best practices and processes that facilitate effective vulnerability management across multiple teams and environments.
What is open-source vulnerability management?
Open-source vulnerability management focuses on the detection and fixing of vulnerabilities in open-source libraries and frameworks, including their direct and indirect dependencies.