If top notch cybersecurity is the goal, effective vulnerability management can help a company get there. Don’t believe us? Then take the word of the US Cybersecurity & Infrastructure Security Agency (CISA):
It is reasonable to say that vulnerability management is central to cyber resilience.
In this post we’re we want to help you with a better understanding around vulnerability management including how it works, the key best practices, and how ProjectDiscovery should be part of your solution.
We’ll outline the terms to help you understand what vulnerability management and learn how to differentiate it from other security issues. Once we’ve covered the basics, we’ll introduce some of the amazing open source tools ProjectDiscovery has that can help you get a handle on your own vulnerability management strategy.
Understanding the issue
What are vulnerabilities?
Vulnerabilities are essentially weaknesses in an organization’s data, assets, or resources. Many areas of an organization can potentially contain vulnerabilities, and the sheer volume can complicate discovery and remediation. In most cases it’s not possible for an organization to address every vulnerability – the trick is to find and deal with those that are exploitable because they represent the greatest highest risk of damage.
How are vulnerabilities categorized? And what’s the goal?
The goal in categorizing vulnerabilities narrowing your focus. Not all vulnerabilities have the same impact, and with a continuously expanding scope you have to be able to devote your resources to what actually matters.
To help sift through the vulnerability noise, the Common Vulnerability Scoring System offers an open source rating that can be used to level-set the threat risk. The CVSS ranges from 0 to 10. The National Vulnerability Database (NVD) provides another threat reality check and works with the CVSS to help teams decipher the potential for exploitable vulnerabilities. The NVD provides another useful tool – a library of common vulnerabilities and exposures (CVEs) – organizations can use as a reference.
All that said, we can’t stress enough that every vulnerability isn’t necessarily exploitable, and we’re seeing lots of evidence of vulnerability “inflation” that can truly muddy the waters for everyone. The Exploit Prediction Scoring System (EPSS) is a newer (and potentially more clear-headed) resource for organizations struggling to make sense of the threat landscape.
What is vulnerability management?
Today’s organization’s have a laundry list of security best practices to follow, of which vulnerability management is just one in a series of steps. With so many potential “weaknesses” floating around, vulnerability management is a continuous and codified effort to assess the threats and risks and create a systematic response for discovery and remediation.
Vulnerability management is a close cousin to attack surface management but its focus is more sharply on the “soft spots” rather than an organization’s network as a whole. A vulnerability assessment is something that happens as part of vulnerability management, but the terms aren’t interchangeable: vulnerability management is an ongoing process while a vulnerability assessment is meant to be a one-time effort.
Why does vulnerability management matter?
Cybersecurity attacks have dramatically increased in number, scope, and damage level, and that doesn’t look likely to change for the foreseeable future. Organizations have never had more to lose – including sales, reputation, investors and even potential employees – so adopting a detailed vulnerability management plan makes sense.
It’s impossible to prevent all cyberattacks, but instead, as CISA has suggested, organizations need to build the vulnerability management processes that will allow for better resilience.
It’s a lot to navigate, and we’re here to provide solutions. ProjectDiscovery offers tools that can help discover the full scope of your assets, identify incoming threats with the support of a vast community, and focus on remediating the real threats to your organization.
Finding the right solutions
Getting started with vulnerability management
Like any cross functional effort, a vulnerability management effort is going to require a good bit of groundwork ahead of time in order to make sure it’s targeting the right areas. Market research firm Gartner offers a Vulnerability Management Guidance Framework that includes some critical homework teams need to do before they consider anything.
Gartner suggests teams ask the following questions, with security professionals taking the lead:
- How broad should the vulnerability management effort be?
- Which roles are required to participate? What should their areas of ownership be?
- What should our vulnerability management policies be? What should our service level agreements and objectives entail?
- As we categorize our assets, can we surface all necessary context?
- What vulnerability management solutions best fit out needs? How would they fit in the tech stack?
What are the key steps in vulnerability management?
Experts suggest organizations tackle a vulnerability management strategy by dividing it into five parts: define the scope, emphasize what matters most, roll out, track the performance and improve as necessary.
- Define the scope: Thanks to work done beforehand, teams should have a good idea of the challenges and the landscape, and can focus on a detailed strategy that will lead to a plan of attack.
- Understand what matters most: Organizational change is always hard, so make it easier by ensuring the plan is focused on vulnerabilities that are the most threatening. Mapping a vulnerability management plan to a team’s priorities is going to make it easier to sell, implement, and evolve over time. It’s also important to make sure the right roles and responsibilities are included in this effort because confusion over responsibilities can make it harder to achieve success, particularly during an emergency.
- Implement: Roll out the plan (with training available as needed), and follow the steps including vulnerability assessments, discovery, cataloging, exposure management and root cause analysis. As vulnerabilities are found choose to remediate, mitigate or live with them, decisions that can be made based on organizational priorities.
- Evaluate the impact: After a trial run it’s key to clearly evaluate the entire process. Retrospectives with key players and all data points will be key to helping to identify potential changes or weaknesses. Double check that the vulnerability management process didn’t accidentally introduce additional weak spots.
- Revise and improve: Tweak the vulnerability management process as needed and then try again.
How risk and speed play a role in vulnerability management
Although the broad brush strokes of vulnerability management will likely be similar in most organizations, there are two areas where it is important to fully understand the corporate appetites, priorities, and potential legal restrictions: risk and speed.
Every business has a unique comfort level with risk, and that has to be baked into a vulnerability management effort right from the beginning. What might be reckless in one entity is business as usual in another, so take the time to thoroughly understand all the risk-related factors. Regulated industries will likely have a far lower tolerance for risk – so when in doubt, consult with legal, compliance, and audit experts. Also, even non-regulated businesses may be under intense performance pressure due to contracts with SLOs, so, again, it is key to keep these sometimes hidden priorities in mind.
The other potential wrinkle with a vulnerability management program is around speed. We believe the most important metric is the time from vulnerability disclosure to detectionbut how fast is fast enough? The perception of speed is going to vary from organization to organization, but it’s a key issue to raise, discuss, and continue to revisit in order to ensure the vulnerability management plan is the most effective it can be.
For most organizations, the right vulnerability management tools automate discovery and remediation and make it easier to stay on top of the many moving parts.
For engineers, pen testers, bug bounty hunters, AppSec professionals, and organizations looking to get started, we definitely recommend starting with open source. Experimenting with open-source tools helps avoid vendor lock-in and takes advantage of security hive mind contributions from community members. Our open source tools are available in a variety of categories around discovery, enrichment, and detection.
For discovery, check out tools like:
- Subfinder: a subdomain discovery tool that can find and return valid subdomains for websites.
- Naabu: a Go-based port scanning tool that enumerates valid ports quickly and reliably.
- Chaos: a comprehensive API dataset of DNS entries from across the internet that ProjectDiscovery maintains. Learn more about the dataset here.
- Cloudlist: a multi-cloud tool to discover assets across your cloud providers
Keep in mind, that these four tools are just a few of the discovery tools ProjectDiscovery has to offer. With others like Katana, Uncover, and ASNMap – our open source offerings are a great way to get started in identifying the assets you need to protect.
Learn more about these tools throughout our centralized documentationor by exploring our GitHub repositories.
To look into enrichment, review:
- Httpx: for a fast, multi-purpose HTTP toolkit to support running multiple probes using a public library.
- dnsx: for a fast, multi-purpose DNS toolkit with filtering support from ProjectDiscovery’s shuffledns.
- Tlxs: a fast configurable TLS grabber for data collection and analysis.
And for detection explore:
- Nuclei: a template-driven fast scanning engine for applications, cloud infrastructure, and networks to find and remediate vulnerabilities.
- Interactsh: an open-source tool for detecting out-of-band (OOB) vulnerabilities that may not be detected with conventional tools or methods.
- Notify: a Go-based package to streamline the process of monitoring output from various tools and files. Easily pipe the output to a selection of supported platforms.
- CVEMap: a structured and easy way to explore CVEs from the command line, sourced from multiple public sources.
Ready for Professional Features?
For users that are looking for “set and forget” automation, or automation that can be scheduled with attack surface management capabilities ProjectDiscovery is also actively building our ProjectDiscovery Cloud Platform.ProjectDiscovery Cloud Platform allows for easy configuration, management, and detection. It includes capabilities to:
- Schedule routine scans using our library of thousands of templates to track new exploitable vulnerabilities on your assets
- Generate and share reports
- Retest specific vulnerabilities
- Implement integrations with Slack and Email
- Import your own template library directly from GitHub
ProjectDiscovery has a ton of solutions that let you choose from tools to let you and your team act like hackers. We want to help you start on your journey towards effective, scalable vulnerability management with open source tool and quickly see what the hackers are seeing.
Get ahead of the issues with real-time reporting, because no matter what audits are going to happen, a tool that tracks data is particularly valuable. And finally, don’t forget that integration will save time, money, energy and probably team sanity.
GIPHY App Key not set. Please check settings