NopSec.com uses cookies to make interactions with the Company’s Websites easy and meaningful. When you visit one of the Company’s Websites, NopSec.com’s servers send a cookie to your computer. Standing alone, cookies do not personally identify you; they merely recognize your Web browser. Unless you choose to identify yourself to NopSec.com, either by responding to a promotional offer, opening an account, or filling out a Web form (such as a “Contact Us” or a “Free Trial” Web form), you remain anonymous to the Company. Please go to our privacy statement for details.

Acknowledge
More Menu Less Menu
Schedule a Demo
Security Team Intelligence

The Benefits of Full Stack Vulnerability Management

What is Full Stack Vulnerability Management?

Full stack vulnerability management utilizes a variety of vulnerability scanner types to identify and remediate software and configuration issues in order to secure an enterprise across the Software Development Life Cycle (SDLC).  

Different types of vulnerability scanners target different stages within the SDLC and even different types of code.  A full stack program utilizes the appropriate scanners to fully track the different sources of vulnerabilities across an enterprise.  This may include scanning for vulnerabilities in:

  • Source code repositories
  • Open Source and other Third Party Dependencies
  • Infrastructure as Code repositories
  • Containers 
  • Serverless functions
  • Infrastructure scanning for on-prem and cloud based assets
  • Deployed applications

Benefits of Full Stack Vulnerability Management

Assume that we have a simple web application that was developed in-house.  That application utilizes open source packages as well as proprietary code.  The application is packaged within a Docker file which is then deployed to a Kubernetes (k8s) cluster on a cloud platform.

Even with this simple setup, there are a wide variety of ways that software vulnerabilities can be introduced into the system (see figure below).  Bad coding practices can introduce vulnerabilities into the source code.  Common Vulnerabilities and Exposures (CVEs) can come from the open source dependencies or the Operating System and packages included in the Docker file.  In addition, configuration issues within the Docker file or k8s and cloud setups can lead to vulnerabilities in the overall system.  All of these issues are then passed on to the resulting web application.  

A full stack vulnerability management program will utilize vulnerability scanners at each stage of the process.  Some of these results will find the same issues as they propagate through the system.  For example, CVEs introduced by the open source dependencies would be picked up when scanning the dependencies, the Docker image and the cloud infrastructure on which the image is deployed.  But not all vulnerabilities will be as easy to catch.  Some vulnerabilities will only show up in specific scanners, like code related vulnerabilities and configuration issues.  That does not mean that these vulnerabilities are not an issue at the final web application, just that a single scanner can not identify all the issues in the system.  By combining data from multiple scanner types, which target different stages in the development and deployment process, a fuller picture of the risk to the overall system can be obtained.  

Vulnerability flowchart

Furthermore, by scanning across the SDLC, vulnerabilities can be identified and remediated earlier in the process and by the teams that are best suited to the task.  Take for example a security team that finds a CVE from an open-source package on the infrastructure.  The open-source package is a dependency of the in-house software which a separate development team is responsible for. If the security team applies an update on the infrastructure without the input from the development team, they could introduce performance issues into the application due to package incompatibility.  In addition, the vulnerability may be reintroduced on subsequent updates to the application since the development team will continue to use the vulnerable package.  However, if the development team is given responsibility for securing their part of the Enterprise, the vulnerable package can be identified and remediated before deployment.  Incorporating security practices across the SDLC allows for more timely remediation of vulnerabilities and decreases the overall risk of the Enterprise.  

By utilizing full stack vulnerability management tools and processes, enterprises can better secure their systems from source code to deployed applications.  At Nopsec, we provide users the ability to consolidate vulnerability information across the full stack in order to better track vulnerability management compliance and provide process tracking and analysis. This allows users to better identify the process issues and streamline their Full Stack Vulnerability Management Program.

FAQ

Question #1: What is full stack vulnerability management?

Full stack vulnerability management utilizes a variety of vulnerability scanner types to identify and remediate software and configuration issues in order to secure an enterprise across your entire technology stack and full Software Development Life Cycle (SDLC). 

Question #2: Why use multiple scanners?

By combining data from multiple scanner types, which target different stages in the development and deployment process, a fuller picture of the risk to the overall system can be obtained.

Categories
Category
Tags
Verizon 2020 DBIR Report, Vulnerability management
Read Next

Schedule a Product Demo Today!

See how NopSec's security insights and cyber threat exposure management platform can organize your security chaos.