4 steps of the Vulnerability Remediation Process
February 16, 2021
0 mins readIt is always important to remember that the end-game of vulnerability management is remediation. One of the important KPIs of a vulnerability management program is how many high-risk vulnerabilities are removed or neutralized before critical systems and assets are compromised.
Why is Vulnerability Remediation Important?
Customers, partners, employees and regulators expect companies to put in place policies and processes that continuously and effectively protect data from accidental or malicious loss and exposure. There is also zero tolerance for system disruptions or slowdowns. In short, meeting vulnerability remediation challenges has become a business-critical activity.
What is the Vulnerability Remediation Process?
The vulnerability remediation process is a workflow that fixes or neutralizes detected weaknesses including bugs and vulnerabilities. It includes 4 steps: finding vulnerabilities through scanning and testing, prioritising, fixing, and monitoring vulnerabilities.
We focus primarily on the remediation steps of prioritization and fixing in order to achieve a scalable and effective vulnerability remediation process.
4 steps of the vulnerability remediation process
Find: Detecting vulnerabilities through scanning and testing
Prioritize: Understanding which vulnerabilities pose a real and significant risk
Fix: Patching, blocking, or otherwise fixing vulnerabilities at scale and in real-time
Monitor: Automatically monitor projects and code for newly discovered vulnerabilities, with real-time alerts and notifications via all the relevant channels
1. Finding Vulnerabilities
Before jumping into vulnerability prioritization and fixing, let’s quickly review what vulnerabilities are and how they are found.
What is a security vulnerability?
Security vulnerabilities are known coding flaws or system misconfigurations that can be exploited to compromise an application, service, library, container, or function and all its related assets. The active exploit seeks to shut down or disrupt performance, exfiltrate data, hijack compute resources, and so on. Systems and assets that are laterally accessible to the compromised component are also at risk.
Security vulnerabilities are known coding flaws or system misconfigurations that can be exploited to compromise an application, service, library, container, or function and all its related assets. The active exploit seeks to shut down or disrupt performance, exfiltrate data, hijack compute resources, and so on. Systems and assets that are laterally accessible to the compromised component are also at risk.
For example, a commonly known software coding vulnerability is either failure to implement a user authentication procedure altogether or implementing an inadequate control, such as single-factor authentication rather than the recommended best practice of multi-factor authentication. This kind of vulnerability opens the door to unauthorized users with sufficient privileges to mount exploits such as man-in-the-middle (MITM) attacks, which are essentially electronic eavesdropping. Security teams and hackers find new vulnerabilities regularly, such as Log4Shell, so it's important to scan often.
The first step of the vulnerability remediation process, therefore, is to scan for and find security vulnerabilities. Mature vulnerability management programs implement a shift-left DevSecOps approach in which vulnerability scanning takes place throughout a secure SDLC (software development life cycle). In order not to slow down the CI/CD pipeline, automated vulnerability testing tools are deployed in development, testing, and production environments. These may include:
Software Composition Analysis (SCA) tools
White-box static application security (SAST) tools
Black-box dynamic application security tools (DAST)
Special attention needs to be paid to container security. It is important to scan for security vulnerabilities in container images as well as in running container instances, with all their linkages. It is also important to ensure that third-party container images are from trusted sources only. Kubernetes security also raises a unique set of vulnerability scanning challenges. If a cluster is breached, every service and machine in the network is at risk.
2. Prioritizing Vulnerabilities
The next step in the vulnerability remediation process is prioritizing vulnerability remediation.
"One mistake that I made early on in my application security career, it’s that I spent way too much time trying to do way too many things. That meant that I was spending too much time getting into the weeds on specific vulnerabilities."
Brendan Dibbel, Application Security Engineering Team Lead at Toast
No matter which approach your company takes to security risk management, not every detected vulnerability poses the same level of risk. It is always a tradeoff among a variety of considerations such as severity, fixability, coverage, and compliance. With risk-based, context-aware prioritization, the vulnerability remediation team can focus its limited resources on the issues that matter the most.
Good likelihood that 80% plus of discovered vulnerabilities are false-positives, another 18% are low-risk and then the last 2% are really things that you need to fix.
The Snyk cloud-native application security platform supports vulnerability prioritization in a number of ways:
Insightful vulnerability information: Snyk lets you prioritize based on actionable information such as exploit maturity, fixability, risk level (including danger severity in general and impact on business-critical projects in particular), prevalence (the number of projects and assets affected), and age.
Accurate, risk-based priority scoring: The Snyk Vulnerability database enriches and analyzes data from diverse public and proprietary sources in order to provide unprecedented coverage of known and unknown vulnerabilities, each of which is assigned a carefully calculated priority score.
Application-level insight: Snyk uses execution and runtime invocation data, Kubernetes configuration information, and signals from running containers to determine the impact (or lack thereof) of a vulnerability. If a vulnerable function is not actually being called, does it really warrant your urgent attention?
Granular control of security policies: Vulnerability prioritization must take place within the context of the company’s security policies. The more granular the implementation of security controls, the more focused vulnerability prioritization can be. Snyk lets you use tags and attributes to define security policies on a project-by-project basis.
3. Fixing Vulnerabilities
The third step in the vulnerability remediation process is to fix the weakness.
In many cases, removing vulnerable software involves deploying an upgrade or a patch, as recommended by the vendor of the affected software. However, patch deployment can be challenging in and of itself. Testing and rolling out patches and upgrades can consume considerable time and resources. Business-critical systems may have to be shut down during the deployment process. And there is always the risk that the patch will have unforeseen impact on the application itself or its dependencies.
There may be less risky ways to fix a weakness, or to at least buy time while a patch is being prepared for deployments. For example, you can update risky system, platform, or service configurations. Similarly, you can disable a vulnerable process or function, or remove a vulnerable component, that is not actually in use.
4. Monitoring Vulnerabilities
Just like the rest of the SDLC, the security vulnerability remediation process is continuous. To facilitate this loop, you need to have monitoring in place. The tool(s) you use to do this need to automatically monitor projects and code for newly discovered vulnerabilities, with real-time alerts and notifications via all the relevant channels.
Ideally, the monitoring tool will also provide contextualized prioritization, helping with both steps 1 and 2 of the vulnerability remediation process (find and prioritize). Otherwise, developers or AppSec teams receiving notifications will quickly become burned out by an influx of low-priority vulnerabilities. It's important that teams are not overwhelmed by noise, which can delay them from handling important, high-priority vulnerabilities that need prompt remediation.
While monitoring is step 4 in this list, in a high-functioning security program, monitoring could be considered step 1.
While knowing the 4 crucial steps to vulnerability remediation process it is very important to have the right tools in place to facilitate the process and make it more efficient.
"I see this problem at almost every organization: you have a few security engineers up against a whole huge bucket of developers and there’s no possible way for you to keep up with all the changes.
So instead of focusing on doing all of the things, we really want to focus on how do we give our engineers the tools that they need to take ownership of security?"
Brendan Dibbel, Application Security Engineering Team Lead at Toast
Empower your development teams with right tools to find and fix vulnerabilities. Here are few ways Snyk can help you to do this:
Immediate lockdown: Snyk’s SCA tool scans for and promptly discovers all instances affected by a vulnerability and immediately takes measures to lock out attackers.
Enhanced navigation:In today’s highly distributed, event-triggered cloud-native applications, it is not a trivial task for developers to find the vulnerable code or component that requires remediation. Snyk accelerates remediation by telling developers exactly how to navigate to the vulnerability.
Integrating with existing developer workflows: By meeting developers where they work such as within the IDE and versioning tools like GitHub, Snyk can help reduce context switching and help developers fix potential vulnerabilities early in the development lifecycle.
Automatic or manual upgrades to vulnerability-free versions: Snyk upgrades direct dependencies to a vulnerability-free version, either automatically via automatic fix pull requests or by prompting the team to do so manually.
Patching the vulnerability: Snyk automatically checks if there is an existing branch and then reopens the existing pull request for the exact fix. If there is no existing branch, a new branch and pull request are created.
Embed security into your CI/CD pipelines
Snyk runs in your CI/CD pipeline of choice and helps you fix the highest-priority vulnerabilities.
FAQ
What is vulnerability scanning and testing?
Vulnerability scanning monitors applications and systems against a database of known coding flaws and misconfigurations. Vulnerability testing probes applications to assess their vulnerability. Both vulnerability scanning and testing should be automated processes that integrate seamlessly with CI/CD pipelines throughout the software development life cycle.
How can vulnerabilities be safely prioritized?
Snyk helps you prioritize vulnerabilities based on risk scores that are derived by analyzing and curating multiple vulnerability and threat intelligence data sources. Some of these sources are publicly available, but they should be enriched with intelligence from the field (developers, academia, and so on) as well as by proprietary research.
How to remove vulnerable software?
Vulnerable software is typically removed through deploying patches and upgrades supplied by the software vendors. However, it is also possible to remediate vulnerable software through other actions such as updating system or application configurations or removing/disabling unused components that have been flagged as vulnerable.