Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

11/17/2020
04:10 PM
David Habusha
David Habusha
Commentary
50%
50%

Vulnerability Prioritization Tops Security Pros' Challenges

Why vulnerability prioritization has become a top challenge for security professionals and how security and development teams can get it right.

When it comes to addressing their backlog of unfixed security issues, many software development organizations are facing an uphill battle. One reason is the proliferation of automated security tools. Adopting automated solutions helps developers and security shift testing left and eliminate time-consuming manual processes, and it's a welcome component of the DevSecOps approach. It also requires teams to address a new set of challenges. One major challenge is a long and exhausting list of security alerts that demands organizations find a way to efficiently prioritize vulnerabilities.

Related Content:

Rethinking Security for the Next Normal -- Under Pressure

2020 State of Cybersecurity Operations and Incident Response

Bug Bounty Hunters' Pro Tips on Chasing Vulns and Money

Security Professionals' Top Challenge: Prioritization
WhiteSource recently surveyed more than 560 application security professionals and software developers for its "DevSecOps Insights Report." When asked about their biggest challenges in implementing and running an application security program, security professionals' resounding answer, at 41%, was vulnerability prioritization. 

This should come as no surprise to anyone working in software development. Software development organizations are using more application security tools than ever before and from the earliest stages of development. Most are on top of detection, but that's only the first step. Next comes prioritization: Once you've detected the security issues, how can you make sure you are addressing the most critical issues first?

Vulnerability Prioritization: A Work in Progress?
While prioritization is essential for organizations that want to get ahead of their backlog, they are still struggling to formulate a standardized prioritization process. Even though vulnerability prioritization rated very high on application security professionals' list of top challenges, the WhiteSource survey found that most security and development teams don't follow a shared process for prioritization.

The survey asked to what extent the security and development teams in their organization agree on which vulnerabilities need to be fixed, and the results were concerning: 58% of respondents said they sometimes agree, but each team follows ad hoc practices and separate guidelines. Only 31% of respondents said they have an agreed-upon process to determine priorities.

The Cost of No Process
Without an agreed-upon process, prioritization becomes time-consuming, expensive, and risky. While teams spend valuable time trying to figure out which vulnerabilities might have the biggest impact on their systems, remediation is delayed, and security threats are left unattended.

In addition to losing valuable remediation time, negotiation and debate over which vulnerabilities require the most immediate attention can become a major cause of friction between development and security teams. At a time when organizations are working to bridge the gap between security and development, all are looking for ways to break down the traditional silos between development and security, not create battlegrounds that further slow them down while leaving them open to risk.

Facing the Challenge of Prioritization Head-on
Happily, some organizations are already learning how to apply DevSecOps principles to vulnerability prioritization so that it can be easily integrated into an agile development cycle. Principles such as cooperation between teams, shared ownership over security, and automation can help organizations release the security alerts bottleneck that many feel trapped in.

Here are three tips that can help you get prioritization right by incorporating DevSecOps:

1. Put a shared process in place. When you have an agreed-upon process, there is no need for debate. Putting together an agreed-upon process will require teams to put aside some time to formulate a solid plan. But you'll come out on the other side with a process that will help avoid a lot of aggravation, risk, and wasted time.

2. Automate. Today's DevSecOps ecosystem offers a tool for pretty much everything — and that includes prioritization. Vulnerability detection tools will ideally also offer prioritization and remediation insights and technologies that will help you get to the most urgent issues first. Find a tool that offers actionable insights on which vulnerabilities will impact your code, so you don't waste time on vulnerabilities that may have a high severity score but pose a minimal threat.

3. Appoint an AppSec champion. WhiteSource's survey found that teams with an AppSec champion have nearly twice the chance of easily reaching agreement by relying on a trusted standardized process.

An AppSec champion is an important step toward bridging the divide between development and security. The role will help boost communication and processes — especially around prioritization, making sure that everyone is on the same page, and promoting a sense of shared responsibility, which are crucial to DevSecOps maturity.

Prioritizing Vulnerabilities: The Quickest Way to Remediation
With the increasingly tight release schedules everyone is racing to achieve, who has time to debate which comes first on the seemingly never-ending list of security alerts?

Prioritization doesn't have to be a long, contentious negotiation or a guessing game. Take a page out of the DevSecOps playbook and implement a prioritization process, the right tools, and a shared sense of ownership over security to make sure your team becomes a well-oiled vulnerability-fixing machine.

David Habusha is the VP of product at WhiteSource. He frequently writes articles and speaks about open source, DevOps, and security. Previously,  Habusha led product management teams in large ISVs (Symantec, Veritas, and others) and startups. He is the co-founder of ...
View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Vulnerability Management Has a Data Problem
Tal Morgenstern, Co-Founder & Chief Product Officer, Vulcan Cyber,  1/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This is not what I meant by "I would like to share some desk space"
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-1303
PUBLISHED: 2021-01-20
A vulnerability in the user management roles of Cisco DNA Center could allow an authenticated, remote attacker to execute unauthorized commands on an affected device. The vulnerability is due to improper enforcement of actions for assigned user roles. An attacker could exploit this vulnerability by...
CVE-2021-1304
PUBLISHED: 2021-01-20
Multiple vulnerabilities in the web-based management interface of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to bypass authorization and modify the configuration of an affected system, gain access to sensitive information, and view information that they are not autho...
CVE-2021-1305
PUBLISHED: 2021-01-20
Multiple vulnerabilities in the web-based management interface of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to bypass authorization and modify the configuration of an affected system, gain access to sensitive information, and view information that they are not autho...
CVE-2021-1312
PUBLISHED: 2021-01-20
A vulnerability in the system resource management of Cisco Elastic Services Controller (ESC) could allow an unauthenticated, remote attacker to cause a denial of service (DoS) to the health monitor API on an affected device. The vulnerability is due to inadequate provisioning of kernel parameters f...
CVE-2021-1349
PUBLISHED: 2021-01-20
A vulnerability in the web-based management interface of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to conduct Cypher query language injection attacks on an affected system. The vulnerability is due to insufficient input validation by the web-based management interf...