Vulnerability Validation Increases Efficiency in DevSecOps
This is the second installment in a series about making DevSecOps work in your organization.
In a previous post, we covered the first pillar of the DevSecOps model—discovery. In this post we discuss the second, which is validation. The reason this phase is so important to the DevSecOps model and for successful vulnerability management is that it’s the point where the software flaws that represent true risks are separated out from those that are not serious security risks.
Vulnerability validation is a technical analysis to determine if a specific vulnerability in a piece of code is exploitable in the specific context in which the code is deployed. For instance, when code or packages of code are deployed inside a container, most of them are not going to be used.
Some of it might be code bloat, some might be a component of the operating system. If a given piece of vulnerable code can be deployed in a container but not loaded into memory, it is technically not exploitable and therefore not a threat.
How Vulnerability Validation Improves Efficiency
The process of vulnerability validation is always deterministic. It provides a definitive yes or no answer to the question of whether a given vulnerability is exploitable.
Tools such as the Rezilion platform provide the analysis teams need in order to identify which vulnerabilities can actually be exploited by cyber criminals. Among the benefits of validation using a solution such as this is that it enables security and development teams to patch less, which in turn gives them more time create new products and features. They can be free of the burden of patch backlogs.
Rezilion’s platform reduces patching needs by 85% or more by aggregating vulnerability scan results and automatically filtering them to focus only on what is actually loaded and exploitable. Our own runtime research analysis finds, on average, only 15% of discovered vulnerabilities are loaded into memory, which makes them exploitable.
In one use case, a Fortune 500 software company experienced $4.3 million in savings per year using the platform. The company has about 1,300 servers in production and discovered more than 5 million total vulnerabilities. Using the Rezilion solution it determined that a high percentage of vulnerabilities were not loaded into code and therefore not a risk. The savings came in not having to patch these vulnerabilities.
Among the key features of the platform that enable validation is that users can visualize their Dynamic software bill of materials (DSBOM) by mapping and dynamically tracking the function, status and interactions of every piece of code in an organization’s environment.
They can manage the full vulnerability backlog in a single place, by aggregating scan data from any type or number of scanning tools to accurately report on the effectiveness of the organization’s vulnerability management program.
Given the large number of software vulnerabilities and the limited number of resources at many organizations, driving efficiencies with vulnerability management has never been more important for organizations. That’s why validation is one of the pillars of DevSecOps—and something enterprises should be leveraging in their efforts to reduce software security risks.
Patch Only What Matters. Learn How Today
Get the clarity you need to quickly manage and eliminate software vulnerabilities and get back to building. Learn more about how Rezilion helps you find meaningful signals in the noise and manage your vulnerabilities more efficiently. Book a demo and learn more today.