Vulnerability Management is a continuous process that helps organizations detect, report, prioritize, and remediate vulnerabilities in their software and platforms. It is an important part of DevSecOps Lifecycle because it allows the ability to organize the security flaws in a manageable, actionable, and traceable way. Also, VM helps to achieve visibility of an organization's security posture. When VM is executed alongside other processes, it helps minimize the attack surface and bridge the gap between isolated findings across distributed tools and processes.
Taking the OWASP VMG Project as a reference, we can describe the overall VM process in three stages:
- Detection: During the detection cycle, we conduct the tasks that support vulnerability tests in essential ways by defining the: who, what, where, why, and how. The principal activities are focused on defining and refining scope after each round of the process, getting tools ready and verifying their integrity, conducting tests, and verifying results.
- Reporting: The reporting cycle targets activities that help the organization understand vulnerability in a measurable way. The principal activities are focused on quickly and concisely capturing all the system, vulnerability, threat, technical risk, and operational risk details associated with a vulnerability. Reporting can also involve creating organizational, meaningful metrics such as Mean Time to Remediate (MTTR) and Vulnerability Escape Rate (VER) to help the organization improve over time.
- Prioritization: The prioritization process selects vulnerabilities and working with development teams to get them fixed. Some vulnerabilities may represent minimal risk or may not be exploitable. Risk is one key factor in the prioritization process, but the effort and expertise required are also key factors. Organizations might also consider the retirement date of the system and details of the development process.
- Remediation: The Remediation cycle targets activities that reduce or eliminate vulnerabilities. Key activities are focused on defining priorities and terms of remediation work, discussing and documenting false positives, and dealing with exceptions.
The tools we use to create a DevSecOps pipeline will generate plenty of vulnerabilities, and each tool will have its own separate format. Managing this data can be challening to track. Vulnerability Management tools consolidate reports generated by different tools and activities in one or a few dashboards, providing an overview of the security posture. Team members can track the progress of remediation efforts by metrics, triage and prioritize findings across the entire pipeline, and manage the vulnerabilities lifecycle across the process. Also, engineers can benefit from the de-duplication features, which help them deal with the noise generated by continuous scanning and duplication of findings. Finally, VM Tools provide integrations with other components to enable bi-directional communication, notifications, data export, and report generation.
The following image can give you a better view of what the Vulnerability Management means and why we must consider it.
Be wary of generating a large security backlog in your VM tool that captures vulnerabilities but isn't contributing to getting them fixed. As Michal Zalewski describes in "The Tangled Web," underfunded security efforts plus risk management are no substitute for real security work.
Also be careful that your VM process isn't extremely fast. DevSecOps pipelines should be designed to create fast feedback loops that feed vulnerabilities to developers quickly as a part of the normal development process. Adding delays makes fixing vulnerabilities much more complex and expensive.
You should implement and integrate VM tools at the central part of your DevSecOps program to provide governance capabilities at earlier stages of development. Tools like OWASP DefectDojo support automatic CI/CD integration and manual reports, it also includes a checklist to track your application against OWASP ASVS V4, which is an excellent way to complement the risk analysis process.
- Open-source:
- (OWASP DefectDojo)[https://github.com/quay/clair] - OpenSource Application Security Management
- (Archery Sec)[https://www.archerysec.com] - Open Source Orchestration and Correlation Tool
- Commercial:
- (kondukto)[https://kondukto.io] - Instantly get all security testing tool results in a single view, automate vulnerability remediation workflows and manage risks with key security performance indicators (KPIs).