Strategic Remediation Is Critical In Your DevSecOps Program
This is the fourth installment in a series about making DevSecOps work in your organization.
The fourth and final pillar of DevSecOps—following discovery, validation and prioritization—is remediation. This is the step in the vulnerability management process that all the others lead to, and without it, there is essentially no point to going through any of the other phases.
Not all remediation practices are equal, however. The key to fixing software flaws efficiently is to automate the task to the greatest extent possible. This not only speeds up the process of eliminating the risks the affected software presents, but it accelerates the delivery of newly developed products into production.
Security and development teams need to focus not just on remediation, but on smart remediation that leverages automation. This fits in with the previous stages of the vulnerability management process, each of which strive for the most efficient method of addressing software bugs that can end up becoming security risks.
As research firm Gartner has noted, the threat landscape is different for every organization, and therefore a reasonable time frame for fixing vulnerabilities will also vary. “Perceived ‘industry standard’ vulnerability remediation time frames do not account for organization-specific constraints, technology cohabitation considerations, internal policies or external compliance requirements,” it says.
The firm recommends that organizations take a structured risk- and fact-based approach to vulnerability management as part of an overall security program.
“The sheer volume of reported vulnerabilities means that organizations are challenged to remediate them in appropriate time frames,” the firm says. “Based on how fast vulnerabilities can be exploited, organizations must be prepared to perform emergency remediation on key systems within hours of a vendor releasing a patch to address a vulnerability, as well as heavily invest in mitigation measures.
They also need to continue refining their remediation process maturity to achieve non-emergency remediation across all system types within weeks, rather than months or years, Gartner says.
The firm suggests four best practices to operationalize effective remediation time frames:
- Align vulnerability management to the organization’s appetite for operational risk, IT operational capacity/capabilities and its ability to absorb disruption when attempting to remediate vulnerabilities.
- Implement multifaceted, risk-based vulnerability prioritization based on factors such as the severity of the vulnerability, current exploitation activity, business criticality and exposure of the affected system.
- Combine compensating controls that can do virtual patching such as intrusion detection and prevention systems and web application firewalls with remediation solutions such as patch management tools, to reduce the attack surface more effectively.
- Use technologies to automate vulnerability analysis, which can improve remediation efficiency.
Rezilion has made automating vulnerability remediation a priority in its product strategy. Its platform distills thousands of vulnerabilities to a handful of packages that need to be updated to remediate vulnerabilities and meet security and compliance requirements. Its solution executes an organization’s remediation plan with automated tickets and issues to notify developers of exactly which components they need to upgrade.
The platform can also track a team’s remediation efforts and service level agreements (SLAs) to ensure that it is not out of compliance.