Vulnerability management can be a complex process to embrace. That's why organizations attempting to get further involved in the work should always have a comprehensive game plan.
Boston harbors a fairly robust IT security community, the kind that can hopefully support a local event like SOURCE, in its second year, which highlights our place on the map. It’s also a town that counts a handful of interesting players from the vulnerability management space among its residents, including Core Security, Safelight and Veracode – along with a number of more traditional security providers such as RSA, and Kaspersky and Sophos, both of whom have based their U.S. offices in the region.
I recently had the chance to attend the SOURCE Boston 2009 conference that was held here just a hop, skip and jump down the street from our headquarters in the burgeoning Seaport District. It’s nice to have a show like this so close to home as it’s a welcome change to attend an industry event and go to sleep in your own bed at night.
One of the more interesting discussions on the show schedule – which I was not actually able to attend but which I was able to explore by reading the speaker’s white paper on the topic, was the session delivered by Carole Fennelly, director of content at vulnerability scanner maker Tenable Security.
In reviewing on the vulnerability management process, it became clear that no matter where they hail from geographically or within the product spectrum, seemingly everyone in the space shares at least one perspective.
That being: if you’re going to do vulnerability management right, you have to approach the process with a game plan that brings in all the stakeholders.
Fennelly’s presentation highlighted the fact that a lot of the problems that organizations run into in launching their internal vulnerability programs result from breakdowns in their process, versus any issue related to, say, how they apply the technologies used in measuring security.
Before launching into any vulnerability management effort, from development-stage code reviews through to penetration testing of live applications, it has become clear that those organizations who take the most pragmatic approach to planning their programs, versus merely trying to use technology to solve problems, get the most useful results. This is turn gives them the information they really need to most effectively target remediation.
For instance, translating vulnerability management from concept into an active process successfully requires the participation of everyone from top-down management, to business units, software developers and operational IT personnel, in addition to security assessment teams themselves. It’s best to involve these various constituencies into expanding your programs over time where applicable.
If you’re going to run tests on live production systems, you better tell the business people who depend on those systems exactly what they should expect.
Of all the various pieces of the vulnerability management process, we at Core Security of course maintain that penetration testing is the most important element in establishing both how you know which vulnerabilities you must address first – namely those that are most critical and easily exploited – and in determining how effective your overall program is in terms of eliminating problems.
Our take is that by testing both upfront to figure out where you stand, and then again after you’ve completed remediation work, you can gain the best understanding of where you’re coming from, and what you’ve actually managed to fix.
Incorporating testing into the front end of your vulnerability management efforts will also not only help you plan which areas of your IT stack to focus your subsequent efforts on, but it will also allow you to measure over time how your other programs are working, including SDLC and patch management initiatives.
We remain confident that any organization could benefit immediately from deploying our CORE IMPACT solutions and engaging in proactive testing to understand their most pressing areas of critical risk. Automating manual security testing tasks that many companies already perform is part of the essence of what it is we provide.
Security is an on-going human process, not just a product.