Prioritizing And Fixing Security Vulnerabilities: A Reader's Guide

You've done your vuln scanning and found some flaws. What do you do now?
[The following is excerpted from "In a Fix? Try a Vulnerability Remediation Life Cycle," a new report posted today in the Dark Reading Vulnerability Management Tech Center.]

For many, the term "vulnerability management" conjures images of scanning tools and penetration tests. But finding the flaws is only half of the battle. Fixing them -- sometimes called vulnerability remediation -- is often the hardest part.

Scanning tools are an excellent starting point -- an automated solution to mapping of possible problems and exposures within a network. But the findings are not very useful without additional information and context. To be effective at reducing and remediating flaws, organizations must implement an ongoing vulnerability remediation life cycle (VRLC).

It's important to go beyond the initial scan into penetration analysis and attack path discovery to get a more complete picture of the possible exposures to business data. It may sound counterintuitive, but there are times when you may not need to fix flaws. Penetration analysis may reveal that there are compensating controls that protect an application or device at an acceptable risk level for the organization, even though the scanner is showing a vulnerability.

For many companies, compliance is the next step. After performing scans, penetration-testing analysis, and validation, an organization should match exposures and vulnerabilities to the required compliance activities.

If, for example, you have an externally facing Web server and are required to be compliant with PCI-DSS, then a cross-site request forgery (CSRF) vulnerability in the Web server would make the company noncompliant. The actual risk of exposure associated with the CSRF may be low, but the fact that it would result in a failed PCI audit increases the related risk and would, most likely, move the vulnerability up in the priority queue.

After compliance, risk management often is the next step in the VRLC. Having complete and accurate scan, penetration test, and compliance requirements data is a great beginning for the business risk analysis process.

These steps provide the foundation for establishing where the problems are, whether they are exploitable, and whether there is any risk of being noncompliant if they aren't corrected. Building on that information, the business or organization must complete its own risk analysis to identify which problems are of highest concern based on such factors as the likelihood of a successful exploit, the business impact if there is a compromise, and the value of the asset.

With a list of vulnerabilities and risk levels in hand, the organization can move on to the prioritization phase of the VRLC. In this phase, the laundry list of vulnerabilities defined during the initial scan is organized by order of remediation criticality. The goal is to merge all of the information from the previous steps in a way that intelligently establishes priority.

Now that the organization has determined what needs to be fixed and in what order of priority, the last thing to consider is the best way to fix that flaw -- both in the short and the long term.

While long-term fixes are often the most desirable, the reality is that organizations don't always have the time and/or resources to be able to implement them immediately. It's acceptable to have a mixture of both short- and long-term fixes as long as the repercussions of the decisions and the associated risks are understood.

To see the step-by-step process of the VRLC -- and to get details on the options available for remediation -- download the full report.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.