Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

11/17/2020
04:10 PM
David Habusha
David Habusha
Commentary
50%
50%

Vulnerability Prioritization Tops Security Pros' Challenges

Why vulnerability prioritization has become a top challenge for security professionals and how security and development teams can get it right.

When it comes to addressing their backlog of unfixed security issues, many software development organizations are facing an uphill battle. One reason is the proliferation of automated security tools. Adopting automated solutions helps developers and security shift testing left and eliminate time-consuming manual processes, and it's a welcome component of the DevSecOps approach. It also requires teams to address a new set of challenges. One major challenge is a long and exhausting list of security alerts that demands organizations find a way to efficiently prioritize vulnerabilities.

Related Content:

Rethinking Security for the Next Normal -- Under Pressure

2020 State of Cybersecurity Operations and Incident Response

Bug Bounty Hunters' Pro Tips on Chasing Vulns and Money

Security Professionals' Top Challenge: Prioritization
WhiteSource recently surveyed more than 560 application security professionals and software developers for its "DevSecOps Insights Report." When asked about their biggest challenges in implementing and running an application security program, security professionals' resounding answer, at 41%, was vulnerability prioritization. 

This should come as no surprise to anyone working in software development. Software development organizations are using more application security tools than ever before and from the earliest stages of development. Most are on top of detection, but that's only the first step. Next comes prioritization: Once you've detected the security issues, how can you make sure you are addressing the most critical issues first?

Vulnerability Prioritization: A Work in Progress?
While prioritization is essential for organizations that want to get ahead of their backlog, they are still struggling to formulate a standardized prioritization process. Even though vulnerability prioritization rated very high on application security professionals' list of top challenges, the WhiteSource survey found that most security and development teams don't follow a shared process for prioritization.

The survey asked to what extent the security and development teams in their organization agree on which vulnerabilities need to be fixed, and the results were concerning: 58% of respondents said they sometimes agree, but each team follows ad hoc practices and separate guidelines. Only 31% of respondents said they have an agreed-upon process to determine priorities.

The Cost of No Process
Without an agreed-upon process, prioritization becomes time-consuming, expensive, and risky. While teams spend valuable time trying to figure out which vulnerabilities might have the biggest impact on their systems, remediation is delayed, and security threats are left unattended.

In addition to losing valuable remediation time, negotiation and debate over which vulnerabilities require the most immediate attention can become a major cause of friction between development and security teams. At a time when organizations are working to bridge the gap between security and development, all are looking for ways to break down the traditional silos between development and security, not create battlegrounds that further slow them down while leaving them open to risk.

Facing the Challenge of Prioritization Head-on
Happily, some organizations are already learning how to apply DevSecOps principles to vulnerability prioritization so that it can be easily integrated into an agile development cycle. Principles such as cooperation between teams, shared ownership over security, and automation can help organizations release the security alerts bottleneck that many feel trapped in.

Here are three tips that can help you get prioritization right by incorporating DevSecOps:

1. Put a shared process in place. When you have an agreed-upon process, there is no need for debate. Putting together an agreed-upon process will require teams to put aside some time to formulate a solid plan. But you'll come out on the other side with a process that will help avoid a lot of aggravation, risk, and wasted time.

2. Automate. Today's DevSecOps ecosystem offers a tool for pretty much everything — and that includes prioritization. Vulnerability detection tools will ideally also offer prioritization and remediation insights and technologies that will help you get to the most urgent issues first. Find a tool that offers actionable insights on which vulnerabilities will impact your code, so you don't waste time on vulnerabilities that may have a high severity score but pose a minimal threat.

3. Appoint an AppSec champion. WhiteSource's survey found that teams with an AppSec champion have nearly twice the chance of easily reaching agreement by relying on a trusted standardized process.

An AppSec champion is an important step toward bridging the divide between development and security. The role will help boost communication and processes — especially around prioritization, making sure that everyone is on the same page, and promoting a sense of shared responsibility, which are crucial to DevSecOps maturity.

Prioritizing Vulnerabilities: The Quickest Way to Remediation
With the increasingly tight release schedules everyone is racing to achieve, who has time to debate which comes first on the seemingly never-ending list of security alerts?

Prioritization doesn't have to be a long, contentious negotiation or a guessing game. Take a page out of the DevSecOps playbook and implement a prioritization process, the right tools, and a shared sense of ownership over security to make sure your team becomes a well-oiled vulnerability-fixing machine.

David Habusha is the VP of product at WhiteSource. He frequently writes articles and speaks about open source, DevOps, and security. Previously,  Habusha led product management teams in large ISVs (Symantec, Veritas, and others) and startups. He is the co-founder of ...
View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 11/19/2020
New Proposed DNS Security Features Released
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/19/2020
How to Identify Cobalt Strike on Your Network
Zohar Buber, Security Analyst,  11/18/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: A GONG is as good as a cyber attack.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-26890
PUBLISHED: 2020-11-24
Matrix Synapse before 1.20.0 erroneously permits non-standard NaN, Infinity, and -Infinity JSON values in fields of m.room.member events, allowing remote attackers to execute a denial of service attack against the federation and common Matrix clients. If such a malformed event is accepted into the r...
CVE-2020-28348
PUBLISHED: 2020-11-24
HashiCorp Nomad and Nomad Enterprise 0.9.0 up to 0.12.7 client Docker file sandbox feature may be subverted when not explicitly disabled or when using a volume mount type. Fixed in 0.12.8, 0.11.7, and 0.10.8.
CVE-2020-15928
PUBLISHED: 2020-11-24
In Ortus TestBox 2.4.0 through 4.1.0, unvalidated query string parameters to test-browser/index.cfm allow directory traversal.
CVE-2020-15929
PUBLISHED: 2020-11-24
In Ortus TestBox 2.4.0 through 4.1.0, unvalidated query string parameters passed to system/runners/HTMLRunner.cfm allow an attacker to write an arbitrary CFM file (within the application's context) containing attacker-defined CFML tags, leading to Remote Code Execution.
CVE-2020-28991
PUBLISHED: 2020-11-24
Gitea 0.9.99 through 1.12.x before 1.12.6 does not prevent a git protocol path that specifies a TCP port number and also contains newlines (with URL encoding) in ParseRemoteAddr in modules/auth/repo_form.go.