Prioritization Changes the Game in DevSecOps

This is the third installment in a series about making DevSecOps work in your organization.

We’ve looked at the first two pillars of the DevSecOps model—discovery and validation. In this post we examine the third—prioritization.

Discovery enables security and development teams to identify software vulnerabilities, and validation allows them to determine which of these flaws present actual security risks and which do not. With prioritization, teams can quickly figure out which of the truly serious vulnerabilities should be remediated first because of the potential risks they present to organizations.

The reason why this pillar is important should be fairly obvious: not all vulnerabilities are equal in terms of the damage they can potentially cause by way of cyber criminals and other bad actors. Also, they are not all equal with regard to how widespread the damage can be if they are exploited.

Prioritization, like the other three pillars, is essential to the successful use of DevSecOps and to effective vulnerability management.

Frameworks for prioritization vulnerabilities have evolved over the years by prioritizing based on the Common Vulnerability Scoring System (CVSS), a free and open industry standard for assessing the severity of vulnerabilities. CVSS attempts to assign severity scores to vulnerabilities, allowing teams to prioritize responses and resources according to threat.

It is common for the teams responsible for patching to work toward resolving issues within an acceptable time, but these teams oftentimes are not aware of the flaw until another team responsible for security testing has validated the existence of the vulnerability. This might happen days after the vulnerability has remained open on a production service.

Clearly, many vulnerabilities are still being exploited by cyber criminals. There has to be a more effective way to prioritize the fixing of software flaws before they can be leveraged for attacks against organizations. This is all the more important with so many companies relying heavily on software to conduct digital business and support many of their key processes.

A tool such as the Rezilion platform helps organizations prioritize which vulnerabilities require immediate fixing, and which can be placed further down the list as lower priorities because they pose little or no immediate risk to the environment.

Prioritizing vulnerabilities has become a focal point at organizations, including the federal government. For example, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in late 2021 issued a directive to federal civilian agencies to drive urgent and prioritized remediation of vulnerabilities that are being actively exploited by adversaries.

The directive establishes a CISA-managed catalog of known exploited vulnerabilities and requires agencies to remediate such vulnerabilities within specific timeframes. It’s intended to send “a clear message to all organizations across the country to focus patching on the subset of vulnerabilities that are causing harm now, and enable CISA to drive continuous prioritization of vulnerabilities based on our understanding of adversary activity.”

The directive applies to all software and hardware found on federal information systems, including those managed on agency premises or hosted by third parties on an agency’s behalf. With the directive, CISA imposed the first government-wide requirements to remediate vulnerabilities affecting both Internet-facing and non-Internet facing assets.

Although the directive applies to federal civilian agencies, CISA strongly recommended that private businesses as well as other government entities prioritize mitigation of vulnerabilities listed in CISA’s public catalog and sign up to receive notifications when new vulnerabilities are added.

Rezilion helps you find meaningful signals in the noise and manage your vulnerabilities more efficiently. Book a demo and learn more today.