Vulnerability Management

Identifying security vulnerabilities is one part of the activity, managing and tracking them to closure is the other part.

As of today there exists a combination of automated and manual security testing approach to identify security vulnerabilities, be it at the Application level or the Network level:

  • Automated security testing: Various Commercial, Open Source and Freeware automated security testing tools (Application Penetration testing, Source Code Analysis, Network Penetration testing, and likewise)
  • Manual security testing: Includes phases like Reconnaissance, Discovery, Analysis and Reporting

Once the relevant security vulnerabilities are identified, risk ranked, documented along with Fix Recommendations and shared with the respective Clients (as part of the security testing activity) there is a need for tracking each of these identified security vulnerability to closure. This process is termed as Vulnerability Management.

Stakeholders:

Depending on an Organizations security implementation strategy there could be a range of stakeholders involved in the Vulnerability Management Process. Following are some of the relevant stakeholders to be considered in this process:

  • Security Testing Team: Internal Security Testing Team/External Service Providers
  • Project Manager: Project Manager/Single Point of Contact from the Project Team/Client/Customer requesting for security test
  • Developers: Development Team/Team identified to fix the identified security vulnerabilities
  • Change Management: Change Management/Team identified to approve/reject any code change requests proposed by the Project Manager

The Process:

Following is a depiction of what could be a possible workflow for Vulnerability Management Process.

Vulnerability Management Workflow
Vulnerability Management Workflow

What has Industry Standard and Compliance to say about Vulnerability Management?

  • Payment Card Industry – Data Security Standards (PCI-DSS):
Maintain a Vulnerability Management Program 5. Protect all systems against malware and regularly update anti-virus software or programs

 

6. Develop and maintain secure systems and applications

 

  • Health Insurance Portability and Accountability Act (HIPAA):
Standard (a) (1) (i) Implement policies and procedures to prevent, detect, contain and correct security violations

 

Standard (a) (6) (i) Implement policies and procedures to address security incidents

 

  • Common Weaknesses Enumeration (CWE) SANS:
Implementing-vulnerability-management-process-34180 Vulnerability management is the process in which vulnerabilities in IT are identified and the risks of these vulnerabilities are evaluated. This evaluation leads to correcting the vulnerabilities and removing the risk or a formal risk acceptance by the management of an organization (e.g. in case the impact of an attack would be low or the cost of correction does not outweigh possible damages to the organization).

 

  • Open Software Assurance Maturity Model (OpenSAMM) from Open Web Application Security Project (OWASP): The Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. OpenSAMM is closely related to Building Security into Maturity Model (BSIMM)
OpenSAMM In an advanced form, vulnerability management involves thorough dissecting of incidents and vulnerability reports to collect detailed metrics and other root-cause information to feedback into the organization’s downstream behavior.

 

The Product:

SecureFirst Solutions developed a first of its kind in Information Security, Vulnerability Management System (VMS) an Enterprise cloud based Vulnerability Management solution to manage all your Security Vulnerabilities.

Vulnerability Management System
Vulnerability Management System

 

 

 

 

 

 

A complete detail about the Product and a live demo is available at: www.SecureFirstSolutions.com

 

Author: admin

Raghavendra Rao PV has more than 11years of experience in Information Technology. He started his career as a software developer at Accenture in the year 2006 and then moved to Information Security. Prior to starting SecureFirst Solutions Private Limited, he worked with Organizations namely; Accenture Services Private Limited, TATA Consulting Services, Dell International Services. He is a Certified Ethical Hacker (CEH) and IBM Rational AppScan Certified.

Leave a Reply