Software vulnerabilities pose a growing threat to companies and their customers. In 2021, 28,695 new vulnerabilities were discovered and publicly reported, compared to 23,269 the previous year. Exploitation of these vulnerabilities can have significant impacts on an organization, including the breach of sensitive data, infection by ransomware or other malware, or other disruptions to an organization’s business. Remediating vulnerabilities before they are exploited is essential to managing risk to the organization and its customers.
The Four Steps to Vulnerability Remediation
A vulnerability remediation strategy should include the following four stages.
1. Identification
Before vulnerabilities can be patched, an organization needs to know that they exist. Some methods that companies should employ to find vulnerabilities include:
- Scanning: Vulnerability scanners identify known vulnerabilities in applications based on signatures and common vulnerability enumeration (CVE) records. Running a vulnerability scanner from both inside and outside the corporate network perimeter provides visibility into an organization’s digital attack surface.
- Testing: Not all vulnerabilities are recorded in CVEs, especially not for code developed in-house. Performing regular testing using static and dynamic application security testing (SAST/DAST) and similar solutions can help with identification of these vulnerabilities.
- Software Composition Analysis (SCA): SCA testing identifies the libraries and other third-party code used within an organization’s applications. Insight into these dependencies is critical to identifying and addressing any vulnerabilities that they contain.
New vulnerabilities can be discovered or introduced into software at any time. For this reason, testing should be performed regularly to minimize the window during which a vulnerability could be exploited.
2. Prioritization
Vulnerabilities in software are common, and, in many cases, the resources required to address all of them may exceed an organization’s resources. Time and effort devoted to patch management are not spent accomplishing other tasks, which may be more important and valuable to the organization.
When determining which vulnerabilities to address and in which order to do so, an organization should consider a few different factors, including:
- Severity: Different vulnerabilities can have varying impacts on the organization if exploited. The severity of a vulnerability should be considered based on both the impact of the vulnerability and the affected systems. For example, a moderate vulnerability on a critical system may have a greater impact than a critical issue affecting a single employee’s workstation.
- Exploitability: Some vulnerabilities are easier to exploit than others. For example, a vulnerability in a public-facing web application is more likely to be exploited than one that requires privileged access to an organization’s internal systems.
- Probability: Not every vulnerability is actively targeted by threat actors, so vulnerabilities for which an exploit is known to exist and be actively used should be prioritized. For example, the Zerologon and Log4j vulnerabilities required urgent patches because they were actively exploited by threat actors.
Based on these factors, an organization can determine the risk that each vulnerability poses to the organization. This risk can be used to determine the order in which vulnerabilities should be addressed and to identify those for which remediation does not provide sufficient return on investment.
3. Patch Deployment and Testing
The complexity of addressing a vulnerability can vary greatly. In some cases, a patch may be available from the manufacturer and might even be rolled out automatically to affected systems. In others, an organization may need to fix vulnerabilities in its own code. If a fix is not possible, an organization may need to disable vulnerable functions to manage the risk.
In all cases, patches should be thoroughly tested before being deployed. This ensures that the update actually fixes the issue and does not create additional problems for the organization.
4. Ongoing Monitoring
While updates are tested before deployment, this doesn’t guarantee that they do their jobs perfectly. Multiple examples exist of threat actors exploiting vulnerabilities that remained after or were introduced by updates designed to close a security hole.
Ongoing monitoring provides an organization with insight into these potential issues. By rescanning the environment after patches have been implemented, an organization can ensure the vulnerabilities have been successfully remediated.
How MorganFranklin Can Help
A well-designed vulnerability remediation program can dramatically reduce an organization’s cybersecurity risk by closing security gaps in its digital attack surface. By taking a risk-based approach to vulnerability management, a company can ensure that high-risk vulnerabilities are patched promptly and make informed decisions regarding the distribution of resources between patch management and other cybersecurity priorities.
MorganFranklin’s application security experts have extensive experience in designing vulnerability mitigation programs. This includes both maintaining visibility into the vulnerabilities that require action and designing and deploying solutions to minimize the risk that they pose to the business.