5 Important Tips for Software Vulnerability Management

Image by TheDigitalArtist from Pixabay

For the past three years, developers and security experts have been fighting a tsunami of vulnerabilities. Each year sets a new record of reported vulnerabilities. Every year has been declared as ‘the year of security breaches’. Software vulnerability management was created as a response to this harrowing battle.

Read on to learn how developers and security experts can apply software vulnerability management practices to win the battle against vulnerabilities.

What Is a Software Vulnerability?

The term software vulnerability refers to any exploit in the codebase. Cyber criminals use vulnerabilities to initiate attacks. The vulnerability can be a result of a coding error, left unintentionally by the developer, or a result of a forced code manipulation by an attack. Whether vulnerabilities are caused by human error or intent, each one has the potential to turn into a risk.

While not all vulnerabilities represent an immediate risk, organizations should continuously monitor their codebase as safely as they monitor their security perimeter. It often takes but one vulnerability to gain unauthorized access, steal data, inject malware or ransomware, or cause a system failure that cripples an organization for hours on end.

OWASP Top 10 Vulnerabilities List

The demand for faster software production, coupled with the increasing automation of cyber attacks, has created a software landscape riddled with vulnerabilities. Since 2017, the number of reported vulnerabilities increase, with 5,501 vulnerabilities reported in the first quarter of 2019.

The Open Web Application Security Project (OWASP) is a global non-profit organization dedicated to improving software security by providing free resources. To help developers and security professionals handle the increasing amount of vulnerabilities, the OWASP created a report, called the OWASP Top 10 Vulnerabilities list, which prioritizes the vulnerabilities that are most likely to be exploited.

Open-Source Vulnerabilities

Developers use open-source software (OSS) components to fast-track the development process. Many OSS components are accessible to anyone who wishes to contribute to the project. Attackers can easily gain access, manipulate the code, and create a vulnerability. Nowadays, when open source components have become a staple in propriety codebase, open source vulnerabilities form a critical risk to organizations and users worldwide.

Open-source vulnerability databases such as the National Vulnerability Database (NVD), help developers and security professionals keep informed on major open source vulnerabilities and breaches. The NVD was established by the US government, in 2005, with the goal to provide analysis reports that explain the nature of each detected vulnerability and provide a scoring system for prioritization.

How One Apache Struts Vulnerability Breached Equifax

In 2017 the NVD detected a vulnerability in a popular open-source project, called Apache Struts. The NVD named the vulnerability CVE-2017-5638, explained its nature, listed a number of helpful links for remediation solutions, and advised everyone to patch it up immediately.

Following the NVD report, the Internet exploded with news about the vulnerability. Unfortunately, black hats that took the warning more seriously than organizations. On March 10, hackers searched the web for servers containing the Apache Struts vulnerability. It took them two months, but on May 13 they hit gold—Equifax's dispute portal.

Equifax is a credit reporting agency that analyses consumer data and then gives them a credit score. The report is usually ordered by businesses interested in ensuring that their customers are financially reliable. Equifax offers one method of arguing against a credit score—their online dispute portal, which, consequently, contains a huge amount of personal and financial information.

A report by the Government Accountability Office (GAO) revealed that once the hackers found the Apache Struts vulnerability, they gained access to the login credentials of three servers. Everything snowballed from there. The same credentials gave them access to 48 additional servers that contained personal information.

To avoid detection, the hackers spread their work over 51 databases and stole the data in small pieces. They enjoyed 76 days of uninterrupted activity within Equifax’s network, stealing the information of 147.7 million Americans.

What Is Software Vulnerability Management?

No one expects organizations to patch every single reported vulnerability. The concept of vulnerability management was developed with the goal to help organizations enforce policies that prevent the exploitation of their codebase.

Software vulnerability management is a continuous process that encompasses the following categories:

• Vulnerability detection—tasks involved with testing the software and identifying vulnerabilities.
• Vulnerability reporting—tasks involved with classifying the detected vulnerabilities, and devising fixes.
• Vulnerability remediation—tasks involved with prioritizing and patching vulnerabilities, investigating fasl positives, and enforcing vulnerability policies.

By applying a continuous process of software vulnerability management, organizations can quickly detect, prioritize and remediate the most pressing vulnerabilities.

Tips for Vulnerability Management

#1. Know your software
The first step in protecting your software is gaining as much knowledge as possible, which in turn will allow you to properly assess the situation. When you compile your knowledge base, be sure to investigate your codebase for:

• License and components—create a Bill of Materials (BOM) that lists all the components of your code, including open source and propriety.
• Known vulnerabilities—using vulnerabilities databases such as the NVD, scan your codebase looking for known vulnerabilities, then list them.

#2. Assess your software
Once you know the inner workings of your codebase, it’s time to assess the situation, classify vulnerabilities, and create an appropriate vulnerability management policy. Your policy should clearly define guidelines such as the number and frequency of scans—continuous or the occasional static scan—and action plans for vulnerability remediation. If you have control over the entire ecosystem, scan as much of it as possible.

#3. Automate your process
The odds in vulnerability management are stacked against development and security teams, with thousand vulnerabilities against few valiant human defenders. Today, there are many systems that can help even the odds, and even help developers and security professionals get the upper hand in this breach-riddled war. In fact, there’s a veritable alphabet soup of available testing tools, such as Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), and Interactive Application Security Testing (IAST). Be sure to find the right tool for you.

#4. Prioritize your vulnerabilities
You now have the data you need to make informed decisions. Use your lists, reports, and insights garnered from the scans. If you’re applying a manual process, look for bid data tools that can help you create a visual representation of the data. Visual aids can help you quickly spot the most pressing vulnerabilities. If you’re using a Software Composition Analysis (SCA) tool, you might be able to automate this stage and delegate the prioritization task to the SCA.

#5. Patch your software
If you’re running this process on your software pre-launch, be sure to apply all the necessary patches on time. Once your system is live, patching will get trickier. However, don’t be afraid of downtime. Often, patching up a vulnerability is much more important than business continuity. Don’t wait until it’s too late, like in Equifax’s case. If you see that patching takes too much of your time, you can always automate this process.

Wrap Up

With such large numbers of vulnerabilities being published on a daily basis, keeping track of them all can be overwhelming. To secure your software and development environment, you need to have in place an adequate software vulnerability management strategy. If you follow the necessary practices and use the appropriate tools, you should be able to maintain awareness of the latest vulnerabilities and threats, along with visibility over your open source components and dependencies, so you can apply patches and minimize your exposure to exploits.