The true detrimental impact of a vulnerability in an application depends on the threat it poses (if exploited) to the organization. Even today, the issue of prioritizing vulnerabilities prior to remediation is pertinent and more so with the ever-increasing number of vulnerabilities. Remediating vulnerabilities in a disarray doesn’t solve the problem of securing applications. Fixing them effectively while you comprehend and assuage the risk does.
As per Gartner, “The market for products supporting Risk-Based Vulnerability Management (RBVM) is growing rapidly. Based on Gartner research, RBVM revenue is expected to double from 2017, reaching an estimated $70 million in 2018. This estimate includes the much smaller, but closely related markets for application vulnerability correlation (AVC) and application security testing orchestration (ASTO).” *
Organizations usually adopt a general method of fixing a percentage of vulnerabilities in a specified time-frame. This makes the process of managing vulnerabilities solely based on metrics. Addressing every and all security defects in an uncategorized report is unnecessary and time-consuming. The approach to managing vulnerabilities has to be fundamentally based on their associated risk. The primary aim is to understand the present state of vulnerabilities in the application and subsequently deduce the risk. The exponentially increasing number of application-led threats and the sophistication of their associated attack vectors makes the present threat scenario extremely precarious and difficult to contain. Organizations need to embrace a risk-based vulnerability management approach to focus efforts on exploring the assessment reports to judge how the security defects are common with the current threat scenario. This should be followed by addressing the right vulnerabilities.
Traditionally, organizations have approached reducing risk (in theory) using metrics provided by testing tools across assessment cycles. To adopt a risk-based approach for vulnerability management, organizations need to start implementing a process that focuses on prioritizing vulnerabilities post their discovery but prior to remediation. This ensures that security defects that possess high-risks are addressed and closed faster. This is especially important in the current models of security engineering, where a combination of a manual and tool-assisted methodology is followed; sometimes on the same application simultaneously.
Orchestron, an application vulnerability correlation (AVC) platform, automatically triages and provides consolidated vulnerability reports. These correlated reports display prioritized security issues, thereby enabling a better focus on remediating high-risk vulnerabilities. A major problem today faced by organizations is that there is a scarcity of data that provides substantial data on vulnerabilities that pose a significant risk to the application. Orchestron’s backend intelligence provides a better understanding of existing risks in the application by displaying detailed vulnerability information, severity and possible stage of introduction of a vulnerability. Finally, all of this information is displayed on a single dashboard, which makes it easier for teams to consume and action on them.
Orchestron helps product teams to efficiently implement a risk-based approach to vulnerability management, through increased productivity of security and development engineers. This aids senior management in better decision-making on one of security true problem – skilled resource!
Source* : Gartner, Seizing Opportunities in Risk Based Vulnerability Management, Dale Gardner, 10 December 2018.