A security organization has set up threat modeling. They have implemented static, interactive and dynamic application security testing. All of them are reporting vulnerabilities. What happens next? How does an organization handle all these findings?
Vulnerability management is the process of categorizing and remediating threats, and this process needs to be a collaboration between software engineers and security professionals. The "2015 State of Application Security: Closing the Gap" survey notes "26 percent of defenders took two to seven days to deploy patches to critical apps in use, while another 22 percent took eight to 30 days, and 14 percent needed 31 days to three months to deploy patches satisfactorily."
This seems like a good start, until a deeper analysis demonstrates how some of these applications are patched. When looking at how these applications are patched, the top three methods included: fixing the root cause through secure SDLC processes (63 percent); updating the operating environment, network architecture, other protection mechanisms (51 percent); or a quick software patch (49 percent).
Though it appears as though there are respondents who are quick to deploy patches to critical applications, these methodologies may be the equivalent of using duct tape. There appear to be only a few organizations that actually implement successful vulnerability management programs. Vulnerability management programs are crucial due to the collaboration between, as the survey calls them, defenders (security professionals) and builders (software engineers).
This collaboration is key to identifying the root cause of the vulnerability. When defenders and builders understand the root cause, they are able to develop and test the fix properly and efficiently. When this collaboration doesn't occur, or the focus is only on the specific finding (instead of on root cause analysis), there is the potential for the same vulnerability class to appear again.
While it would be possible for a security professional to perform root cause analysis on their own, the teamwork approach provides both the security professional and the software engineer with valuable information. The defender gets to understand why the builders built the software the way they did — for reasons of performance, usability, and so on. The builders, on the other hand, get to see how an attacker could take advantage of an implementation.
The education provided through this collaboration can drastically change a builder's methodology in the future. In addition to useful security lessons, the biggest benefit is to the relationship between the builders and the defenders. Any successful software security assurance program depends on this relationship, and the most important aspect of any relationship is communication. Builders must be able to communicate with defenders, and vice versa. A vulnerability management program that focuses on getting the two groups together in order to identify appropriate threat remediation strategies will enable much stronger communication.
Vulnerability management is essentially the "clean up" of vulnerabilities in an application. The larger the number of people involved in that clean up, the more important a solid clean-up process becomes. A sound vulnerability management process will not just provide for a higher-quality patch, it will also be an opportunity to strengthen the vital relationship between the security groups and the application development teams.
For more on how defenders and builders can work together to patch vulnerabilities, download the full report here.
Photo Source: Flickr