Implementing a vulnerability management process
Any weakness within a system has the potential to be exploited by threats, leading to loss or compromise of data, or service disruption. When delivering a service, you need to determine how vulnerabilities will be identified, mitigated and remedied.
Vulnerabilities can occur as a result of security control flaws, unsecure features or user error. Attackers may look to exploit any or all of these. The longer they exist, the more susceptible a system becomes to being attacked. Managing vulnerabilities involves taking appropriate actions to reduce the risk of exploitation.
This is a complementary activity to performing a security risk assessment and threat modelling which should be conducted prior to discovering vulnerabilities.
A clear process that governs how you manage and respond to vulnerabilities will allow you to:
- assess and prioritise vulnerabilities
- maintain confidence in keeping systems and data protected against new vulnerabilities
- reduce the risk of onward infection to other systems within your organisation
- improve the consistency of security controls and reduce the likelihood of human error
- increase the probability of compliance with legal and regulatory requirements
Vulnerability management should be a process embedded throughout the project lifecycle. Potential vulnerabilities should be addressed during the design phase and vulnerability management procedures should be included during development and deployment. Ongoing vulnerability testing and response management should continue as the service evolves.
Completing this activity will help you to achieve the outcomes included in the Secure by Design principles to build in detect and respond security and embed continuous assurance.
Who is involved
Your vulnerability management process should be devised by your project’s DevOps team with direction from security and technical architects.
Plans should be discussed with your Senior Responsible Officer (SRO) and service owner so they can agree that the proposed actions related to vulnerabilities are appropriate and proportionate. Close collaboration should also happen with development teams so they are aware of expectations when it comes to resolving vulnerabilities.
How to define a vulnerability management process
Before developing your own plan for managing vulnerabilities, discuss with security professionals within your organisation to see what existing processes are in place that can be used or adapted for your needs.
If your organisation doesn’t have any existing vulnerability management processes available to you, this should be raised with your Chief Digital Information Officer (CDIO) and Chief Information Security Officer (CISO) as a fundamental organisational risk.
Step 1: Establish vulnerability management protocols
You should develop an approach reflecting your organisational structure that outlines how vulnerabilities will be identified, assessed, prioritised and remedied.
As this action is proactive, you will be unaware of the exact vulnerabilities you are preparing for. However, it’s still possible to categorise the types of vulnerabilities you may encounter and design appropriate procedures to guide you when they do occur.
For example, you will know which roles within your security and development teams are responsible for conducting the various methods used to discover vulnerabilities. Documenting these procedures should include how frequently they’re required to perform scans, and what steps are required when vulnerabilities are identified.
Different vulnerabilities may require different actions. For example, a minor issue could be reported, logged and resolved within the delivery team, whereas a more serious issue may require escalation to senior management who will need to be consulted on the appropriate next steps.
Standard approaches for addressing vulnerabilities should also be included within your procedures so a consistent process can be taken across the service. Depending on the type of vulnerability this may include applying patches or updates, implementing compensating controls to mitigate the vulnerability, reviewing and fixing the code, or developing a workaround. Each approach should have an associated time and resource estimate that can be referred to by project planning teams when action is required.
For vulnerabilities that are unknown, create a set of emergency procedures that can be followed including the people and resources you may need to be made available, the data you may need to back up, and the processes involved in shutting down or containing systems.
Step 2: Develop a vulnerability register
Create a mechanism for recording and tracking the progress of vulnerabilities as they are discovered and addressed. This will provide stakeholders and delivery teams with a clear view of all current and resolved vulnerabilities related to a service.
A vulnerability register should include:
- how the vulnerability was identified – this could be through an internal process to discover vulnerabilities or via an external report
- a short description of the vulnerability
- the systems and components it affects
- the severity of the vulnerability – for example, from ‘1 – Minor’ to ‘5 – Critical’
- the potential impact of the vulnerability – mapped to the risk register created when performing a security risk assessment
- the remediation steps that have been taken – include details of whether they have been successful or not
- the status of the vulnerability – for example, Open, Closed, or Mitigated
Step 3: Incorporate vulnerability management into project planning
The vulnerability register should be a living document that is updated whenever a new vulnerability is identified, or there is a change in the status of an open vulnerability.
The tasks (such as installing patches or fixing code) that are generated as a result of a vulnerability being added to the register should be assessed, prioritised and assigned during project planning meetings. Prioritising vulnerabilities will allow you to focus efforts on the most critical vulnerabilities, using the risk impact as a guide for what should be remedied first.
As these tasks are completed and the necessary testing has been carried out to confirm a successful resolution, the register can be updated with the latest information.
Step 4: Share your vulnerability management plans
It’s important to let people across your organisation know how vulnerabilities are being managed. Effective communication and collaboration with the relevant stakeholders will contribute to the success of your vulnerability management program.
There are five key stages for communication to happen.
1. When your vulnerability management plans have been created
This should be distributed and explained to everyone in the delivery team and wider organisation) who plays a potential role in vulnerability management. This should also take pace when there are significant updates to procedures.
2. When vulnerability tests are being carried out
The results of scan reports and assessments should be shared with delivery managers, development teams and system administrators so they can be aware of what’s being reviewed and what actions may be required.
3. When a vulnerability has been identified
Your procedures will determine who needs to be informed based on the severity of the vulnerability. This may include the suppliers of external systems who can help coordinate mitigation efforts based on contractual agreements.
4. While a vulnerability is being remedied
Your risk register will provide a useful guide to project management teams involved in decision making, as well as those actively involved in resolving issues such as developers and network or system administrators.
5. Following the successful resolution of a vulnerability
To reduce the likelihood of a vulnerability recurring, share information on how it was identified and resolved with the appropriate teams
It’s also important to educate users and employees about the importance of vulnerability management and how they can contribute to service security. Use appropriate communication channels to share relevant information and regarding vulnerabilities and their potential impact to raise awareness and promote good security practices.
Once you have a process for managing and responding to vulnerabilities, you can focus on discovering vulnerabilities.