Software Vulnerability Management Lifecycle – Step by Step
Secunia Research turns indiscriminate information into verified intelligence
When a software vulnerability becomes publically known, Secunia Research investigates it and either rejects or verifies it. Once verified, the vulnerability is given a criticality rating and described in full. The description includes details about attack vectors, impact and recommended mitigating actions – available patches or possible workarounds.
The verified intelligence is then sent to our customers through our Software Vulnerability Management solutions: Vulnerability Intelligence Manager, Corporate Software Inspector and Personal Software Inspector
Assess: The vulnerability intelligence is correlated with our user’s environment
- New Vulnerability Verified
The first critical step enabling assessment is the timely access to accurate, verified intelligence about software vulnerabilities. By obtaining the intelligence from a comprehensive and reliable source you avoid wasting time on false positives, while ensuring your threat picture is complete.
- Asset Inventory / Discovery
This intelligence then needs to be correlated with the asset inventory of your environment, to identify vulnerable applications and to provide a map of the software vulnerabilities present in your infrastructure. This requires a continuously updated inventory, based on precise scans and mapping.
- Assess and Prioritize Risk
The correlation between the vulnerability intelligence and your asset inventory enables you to assess the risk to your environment and prioritize your mitigation efforts. Depending on the location of the vulnerable application in your infrastructure, and the data it potentially provides access to, assists you in prioritizing the urgency of fixing the issue. Risk assessment is further supported by tools to classify, group and filter assets, customize criticality ratings, and set up distribution lists and alerts. With numerous software vulnerabilities disclosed and verified every day, the ability to prioritize the issues is important.
Once you’ve identified and qualified the threat, the next step is mitigation – applying remediation or a work-around to deflect the threat. Supported by the assessment activities, classification and filters, the team responsible for mitigation can prioritize their resources and focus on the issues posing the most imminent threat to your organization.
Secunia Research always delivers information on possible solutions to the specific vulnerabilities. And for some mitigation activities, such as security patch management, dedicated technology can further support efficiency by providing the tools and content which can ensure patches are deployed effectively.
The final step is verification. For different areas of the organization, different verification methods can be applied. These can be ticketing systems, scanners or reports.
Regardless of which method you choose, this step is critical, first of all to ensure that mitigation is performed successfully, but also to enable visibility, transparency and accountability within your organization.
Manage workflows and receive reports continuously
The entire lifecycle needs to be underpinned by tools to support workflows and reporting. These tools must be flexible and able to be customized for use within your organization.
Flexibility is critical because every organization has its own processes and infrastructure, and needs to adhere to different sets of policies and regulations.
And start again …
By continuously repeating the steps in the lifecycle, you consistently reduce the attack surface for hackers and cybercriminals, and thereby reduce risk dramatically.
Our Solutions are Developed to Support the Entire Software Vulnerability Management Lifecycle
Software vulnerabilities continue to be one of the most common weaknesses cybercriminals and hackers use to infiltrate and escalate privileges inside organizations’ infrastructures. According to Secunia Research, 15,435 vulnerabilities were reported in 2014. This is an increase of 18% in relation to the previous year.
Corporate Software Inspector gives you the when, where, what and how of security patching. It tells you when a software vulnerability with an available patch is threatening your infrastructure, where it will have the most critical impact, what the right remediation strategy is and how to deploy it.
Personal Software Inspector is a free computer security solution that identifies vulnerabilities in applications on your private PC. Vulnerable programs can leave your PC open to attacks, against which your antivirus solution may not be effective. Simply put, it scans software on your system and identifies programs in need of security updates to safeguard your PC against cybercriminals. It then supplies your computer with the necessary software security updates to keep it safe.