Application Security: Managing Vulnerabilities Throughout SDLC

How can I find security people, how do I deal with budget and time, how should I prioritize, what will have the most impact on the business, what will reduce my risk the most? These are the questions that are facing many security teams. In the vulnerability space many are still working off of spreadsheets and ad hoc reports in order to answer these questions. This problem has become so widespread that a new category has been created called Application Vulnerability Correlation. Nopsec have been in this space for many years and we would like to share the seven components necessary to truly have an impact in AVC.

Components_of_AVC

  1. Expertise and Knowledge – Expertise and knowledge is necessary to consolidate the number of vulnerabilities, prioritize them and eliminate the noise though correlation
  2. The Big Picture – Looking at one environment is not enough. A complete AVC solution should look at vulnerabilities in commercial products, system configuration, in house developed applications, cloud platforms, operating systems, internal and external networks.
  3. The Entire Application Stack – Inspection and knowledge of the full application stack is necessary. An Applications code may be vulnerability free but a child/parent component may be vulnerable
  4. Prioritization – Adding context, eliminating false positives and duplicates. Reprioritizing based on exploit availability, asset criticality, social context and exploitability
  5. Automation – Must look at attack chains and not silos of vulnerabilities. Proactive investigation including privilege escalation and credential extraction.
  6. Vulnerability Workflow Management – Remediation workflow, assignment and oversight is critical to the success of a vulnerability program. Discovery without remediation does not reduce risk
  7. Integration – Extensible integration with scanners, threat intel, social context, asset info, AI rules and other data as it becomes available.

Application Vulnerability Correlation should not be about looking at vulnerabilities in isolation. It should be about looking holistically at the vulnerability problem across the entire environment and prioritizing the work necessary to reduce risk. The seven areas above outline the seven areas necessary to have a comprehensive vulnerability management program.