Identifying security vulnerabilities is one part of the activity, managing and tracking them to closure is the other part.
As of today there exists a combination of automated and manual security testing approach to identify security vulnerabilities, be it at the Application level or the Network level:
- Automated security testing: Various Commercial, Open Source and Freeware automated security testing tools (Application Penetration testing, Source Code Analysis, Network Penetration testing, and likewise)
- Manual security testing: Includes phases like Reconnaissance, Discovery, Analysis and Reporting
Once the relevant security vulnerabilities are identified, risk ranked, documented along with Fix Recommendations and shared with the respective Clients (as part of the security testing activity) there is a need for tracking each of these identified security vulnerability to closure. This process is termed as Vulnerability Management.
Depending on an Organizations security implementation strategy there could be a range of stakeholders involved in the Vulnerability Management Process. Following are some of the relevant stakeholders to be considered in this process:
- Security Testing Team: Internal Security Testing Team/External Service Providers
- Project Manager: Project Manager/Single Point of Contact from the Project Team/Client/Customer requesting for security test
- Developers: Development Team/Team identified to fix the identified security vulnerabilities
- Change Management: Change Management/Team identified to approve/reject any code change requests proposed by the Project Manager
Following is a depiction of what could be a possible workflow for Vulnerability Management Process.
What has Industry Standard and Compliance to say about Vulnerability Management?
- Payment Card Industry – Data Security Standards (PCI-DSS):
|Maintain a Vulnerability Management Program||5. Protect all systems against malware and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
- Health Insurance Portability and Accountability Act (HIPAA):
|Standard (a) (1) (i)||Implement policies and procedures to prevent, detect, contain and correct security violations
|Standard (a) (6) (i)||Implement policies and procedures to address security incidents|
- Common Weaknesses Enumeration (CWE) SANS:
|Implementing-vulnerability-management-process-34180||Vulnerability management is the process in which vulnerabilities in IT are identified and the risks of these vulnerabilities are evaluated. This evaluation leads to correcting the vulnerabilities and removing the risk or a formal risk acceptance by the management of an organization (e.g. in case the impact of an attack would be low or the cost of correction does not outweigh possible damages to the organization).|
- Open Software Assurance Maturity Model (OpenSAMM) from Open Web Application Security Project (OWASP): The Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. OpenSAMM is closely related to Building Security into Maturity Model (BSIMM)
|OpenSAMM||In an advanced form, vulnerability management involves thorough dissecting of incidents and vulnerability reports to collect detailed metrics and other root-cause information to feedback into the organization’s downstream behavior.|
SecureFirst Solutions developed a first of its kind in Information Security, Vulnerability Management System (VMS) an Enterprise cloud based Vulnerability Management solution to manage all your Security Vulnerabilities.
A complete detail about the Product and a live demo is available at: www.SecureFirstSolutions.com