Vulnerability Management: Challenges and Solutions from a Product Security Engineer's Perspective
By Sajid Pervez on 04-10-2024
From a product security engineer’s lens, vulnerability management is one of the key metrics used by organizational leadership to assess the security health of their products. Typically, these metrics focus on SLAs (Service Level Agreements) and remediation times. While this is helpful, it’s a constant battle for teams due to the speed at which scanners find vulnerabilities and the time it takes for humans to fix them.
Fixing security issues is not just a technical problem; people and processes are also required to get it done. — Caroline Wong
Let’s dive in.
What’s Not a Problem
- Finding vulnerabilities
What Are the Problems and Solutions
- Multiple sources
- Prioritization
- Remediation challenges
- The forgotten vulnerabilities
1. Multiple Sources
There are two issues here. The first one is the multitude of sources that need to be monitored, such as SAST scanners, infrastructure scanners, dependency checkers, containers, etc. This can be resolved with vulnerability aggregation tools like OWASP DefectDojo. However, I’ve encountered cases where multiple scanners of a similar type scan assets and report a CVE with different severity levels, or one scanner might not even detect a critical vulnerability. Though this situation is rare, it’s easy to address by choosing a single scanner for each type of scanning.
2. Prioritization
Prioritization can become problematic if an organization’s assets are not cataloged in a structured way, making it difficult to gather contextual information easily and provide it to the vulnerability management platform (if one exists). If not, that’s a separate problem. Alternatively, enriching the scanner with this information can also be challenging.
Assuming that assets composed of various components (code and infrastructure) are cataloged with contextual information like ownership, network, and data sensitivity, prioritization becomes easier to manage.
Key Takeaways:
- No orphan assets — Define asset ownership through a tagging strategy, GitHub statistics, or a cataloging tool like Atlassian Compass or Backstage.
- Add metadata to assets — Metadata such as network exposure, data sensitivity, and business criticality provide essential context for a proper risk assessment.
- Use asset metadata with tools like the Stakeholder-Specific Vulnerability Categorization Calculator (SSVC Calculator).
3. Remediation Challenges
After resolving people and process issues, teams encounter the various scanners — commercial and open-source — that use different vulnerability databases. These tools provide advice ranging from specific line-of-code fixes to general patching guidance or flagging vulnerabilities in obscure software.
While prioritization helps reduce remediation challenges, developers still need better guidance. This is easier said than done. One expensive solution is to invest in premium scanning tools or vulnerability aggregation tools (which come with their own unique challenges), but that’s not feasible for everyone. In such cases, the following points may help:
- Understand the vulnerability better — Leverage ChatGPT or similar tools.
- Triage effectively to measure or understand the scope (it could be a false positive).
- Remove unnecessary dependencies, libraries, or software — Developers tend to accumulate these over time.
- Clearly define development dependencies.
- For zero-day vulnerabilities, apply segmentation using network rules and monitoring.
4. The Forgotten Vulnerabilities
Vulnerability management programs often have a final step or “exit door” called suppression, exceptions, or risk acceptance. Vulnerabilities are typically risk-accepted or suppressed for several reasons:
- False positives — These are straightforward and should be added to the forgotten list.
- Product teams are more feature-focused — They require more support from security and leadership.
- Legacy products are approaching decommissioning.
Of these, the last case often leads to suppression or acceptance. If these vulnerabilities aren’t automatically tracked, they become the forgotten ones. Vulnerability aggregation tools can assist in such cases, but without them, tracking becomes challenging.
Summary
Vulnerability management is an essential metric for assessing an organization’s security health, but it presents several challenges beyond just finding vulnerabilities. These challenges include managing multiple sources of information, prioritizing vulnerabilities, addressing remediation issues, and preventing vulnerabilities from being forgotten. While tools like vulnerability aggregators and asset cataloging platforms can help, effective vulnerability management also requires robust processes, cross-team collaboration, and, in some cases, innovative approaches to triage and fix vulnerabilities efficiently.