Vulnerability Management As A Data Issue

admin    April 19, 2010

Organizations face a number of issues as part of their vulnerability management programs, not the least of which is data management. The problems security teams face managing and remediating their security defects has evolved over the past several years. Finding vulnerabilities is no longer the challenge. Mature security teams are looking at all of their assets layers including their applications, databases, hosts and networks. Any group dealing with any sizable environment isn’t struggling with finding security defects, but rather managing the mountain of data produced by their vulnerability assessments, penetration testing and threat modeling in order to fix what’s most important first.

So how do you utilize this plethora of data to make intelligent decisions that minimize the risk to your applications and infrastructure? Several things need to occur in order to make this information valuable and actionable.

  1. Weed out the false positives / Identify false negatives
  2. Correlate the related and overlapping defects
  3. Map security defects across common assets
  4. Score defects and assets
  5. Apply context

Weeding out the false positives and identifying false negatives takes quite a bit of work. False positives need to be removed from VA results by testing out potential exploits while using multiple data sources to flag potential false negatives.

Once the security team has a degree of confidence in it’s result set, the next step is to begin the correlation process. When best of breed solutions are used for each layer of your vulnerability management solution, you’ll often run into the same vulnerability multiple times identified by different sources. Additionally you may have multiple vulnerabilities such as a SQL injection vulnerability flagged on multiple fields of the same form, which may only require one fix by a developer. Chalk up more time for your security analyst to weed through the data.

Often times to understand the risk currently exposed by a given platform, you’ll need to map all of your assets for the platform together along with their related security vulnerabilities. In other words, a web application is made up of an entire stack of assets including a custom developed application, off the shelf software, backend databases, servers and network devices. Mapping these assets together can give security and the management team a better view into the overall risk of a platform and allow some insight into how adjacent vulnerabilities may be increasing that risk. Of course, mapping these assets and defects is only the first step in understanding the risk. The team also needs to understand the value of their assets (and combined assets) and use a risk scoring and ranking system against the identified vulnerabilities.

All of these data points together and used appropriately, can bubble issues up that may not have been noticed otherwise. This can give the organization a context it previously did not have. While the low hanging fruit is usually straight-forward to address, it’s taking this to the next step that becomes the needle in the haystack problem for security teams. Done properly, this could mean many hours dedicated to data mining your VA, pen testing and security review result sets. Having worked in the manual trenches of security defect data for some time, we’re looking to solve many of these problems through automation and security data intelligence. We think we have a big jump on this with Conduit and we’re getting excited to open this up to the world soon. We hope you’ll be as excited as we are.

Leave a Reply

Your email address will not be published. Required fields are marked *