Implementing a mature security solution like DevSecOps is the goal of almost any organisation that gives importance to security. But not many stop and ask themselves the question ‘And then what?’.
- What happens after multiple tools have been integrated for all applications?
- What happens after exporting those results(often in multiple formats) and feeding them into a Vulnerability management solution?
- Who gets to decide what needs to be fixed and what are the parameters considered?
Managing Vulnerabilities is a problem unto itself, but prioritising those vulnerabilities is equally important.
This post is going to help you decide the parameters you need to be looking at to help you ‘Find Early, Fix Early’. Let’s get started!
In most if not all tools, false positives are bound to occur. There’s no escaping this reality. But, the last thing you want to do is analyse a set of vulnerabilities only to realise that some of them are false positives.
The collateral damage of this can be a combination of losing time, wasting effort and losing confidence in the tool, among other things.
A mature system in place that helps you handle false positives in a scalable manner is going to be quintessential. To begin with, creating multiple filters with some amount of intelligence built in is a recommended approach.
Tip: Always prioritise based on the likelihood of a vulnerability not being a false positive.
A handful of tools such as OWASP ZAP, BurpSuite, GoSec and FindSecBugs to name a few provide ‘Confidence’ scores that can be very helpful in sifting through potential false positives.
The higher the confidence score of a vulnerability, the lower the likelihood of it being a false positive and vice-versa.
Tip: Prioritise based on the overall confidence score of the vulnerability. Higher the confidence score, higher the priority. Below is an example of a result from GoSec:
This is probably a no brainer, but it probably in everybody’s best interest to fix any and all vulnerabilities with a high or a critical severity score.
Just like with `Confidence Score`, most tools provide the severity of vulnerabilities found.
As an alternative, a few tools also provide CVSS score.
Tip: Prioritise based on the Severity score or the CVSS score of the vulnerability. More severe the vulnerability, the higher the priority.
Quick note on CVSS:
CVSS (Common Vulnerability Scoring System) is an industry standard scoring methodology used to provide a numerical value to reflect severity of a Vulnerability by capturing the key characteristics.
The CVSS Score is calculated based on the following:
- Base Score:
Attack Vector(AV), Attack Complexity(AC), Privileges Required(PR), User Interaction(UI), Scope(S), Confidentiality(C), Integrity(I), Availability(A)
Exploit Code Maturity(E), Remediation Level(RL), Report Confidence(RC)
- Confidentiality Requirement(CR), Integrity Requirement(IR), Availability Requirement(AR), Modified Attack Vector(MAV), Modified Attack Complexity(MAC), Modified Privileges Required(MPR), Modified User Interaction(MUI), Modified Scope(MS), Modified Confidentiality(MC), Modified Integrity(MI), Modified Availability(MA)
This metric can be a little tricky to calculate. The idea behind this is that ‘A lot of vulnerabilities exist and can often be found by pen-tests and security scans, but not all of them are actively being exploited in the real world.’
The potential risk or the likelihood of a vulnerability being exploited in the wild can be predicted by paying attention to various hacker forums, looking at the PoCs for new CVEs, following the trend of issues found in bug bounty programs and threat intelligence data.
The effort to fix an issue can vary based on the type of vulnerability and the application. While changing a single function of an endpoint might not necessarily require a lot of effort, using a new library by replacing an old one will potentially impact the entire application and will require both time and effort.
Most, if not all tools provide remediation recommendations, but calculating the effort and the overall time to implement it will be very application specific.