You’ve Discovered a Vulnerability—Now What?
Identifying a weakness or an imminent threat is not the same as resolving the problem. Inaction is not an option. Or to put it another way, taking a deer-in-the-headlights approach does not work well in the cybersecurity realm.
Security leaders and teams, and the DevSecOps units they work with, need to focus on taking action as soon as possible once they have found a vulnerability using a scanner, application security testing, penetration testing, or some other method. Given the significant risk of security breaches, taking quick action is vital.
In many cases, this is easier said than done. The “now what” quandary can become kind of a million dollar question, and one that might even come up in a cybersecurity job interview to see what kind of response it elicits.
The ultimate goal in dealing with software vulnerabilities is remediation (if it is necessary, but more on that later). Any steps teams take following a discovery should primarily lead to that objective. But it’s important to remember that not all vulnerabilities are equal; some can potentially do far greater damage than others. And some pose no risk at all. Adding to this complex scenario is that security teams are usually faced with multiple vulnerabilities at the same time.
Why Not Every Vulnerability Requires Patching
One of the first things teams need to know is how critical a particular vulnerability is within the context of other vulnerabilities. How much damage, if any, can the vulnerability actually do? Validating how severe a vulnerability is and prioritizing which vulnerabilities need to be addressed first are key parts of any risk management strategy.
In order to prioritize vulnerabilities, organizations need to have tools in place that can apply some type of risk and severity logic. The reality is, not all vulnerabilities require patching. The vast majority of deployed code is never actually used in runtime. Only vulnerabilities running in memory are exploitable. Your real attack surface – the one that matters for patching – is your exploitable attack surface. Most vulnerabilities identified by scanners are in code and components that are never run in memory and therefore pose no risk. The right tools can help you determine which ones need patching and which do not.
Another option is to use the Common Vulnerability Scoring System (CVSS), a free and open industry standard for assessing the severity of security vulnerabilities.
CVSS assigns scores to vulnerabilities, and this enables teams to prioritize resources based on how much of a threat a particular vulnerability presents to their organizations. The scores are calculated based on various metrics that estimate what kind of impact attackers could have if they exploit the vulnerability.
Organizations can leverage CVSS to calculate the severity of vulnerabilities they find, and to prioritize the remediation of vulnerabilities. The National Vulnerability Database (NVD) provides CVSS scores for practically all known vulnerabilities.
Once vulnerabilities have been prioritized, they can be remediated based on their potential severity—preferably in an automated manner.
Patch Intelligently to Save Time and Resources
One approach to remediation is to deploy a sustainable patch management process. Patches, which apply changes to operating systems, applications, or their supporting data to fix security vulnerabilities and other issues, can be installed automatically with the right tools. They can be applied to software files on a storage device or in computer memory, and can be permanent or temporary fixes.
One of the keys to making patch management successful is to only patch exploitable vulnerabilities. This frees teams from facing the burden of a patch backlog. Vulnerability validation and prioritization plays a key role here. By aggregating vulnerability scan results and automatically filtering them so that they focus on what is loaded and exploitable, teams can reduce patching needs significantly and address the most important vulnerabilities.
Automation allows teams to avoid patching false-positives that are not loaded into memory and therefore do not pose a threat. They can get automated recommendations for the most efficient paths to remediation, based on aggregated and validated data.
By taking a more efficient approach to vulnerability remediation, security and development teams can focus on more productive initiatives such as developing innovative new software, instead of spending hundreds of hours addressing software updates that might not even be necessary.