How To Prioritize Vulnerabilities In AppSec
The DevOps world is all about frequent sprints and continuous delivery, and teams just can’t keep up with the tidal wave of vulnerabilities and findings. With the move to the cloud and constantly expanding threat surfaces, it's difficult for teams to decide which vulnerabilities to prioritize. It's especially difficult if you don’t have a ASPM platform to streamline these decisions.
Here are some insights into how to ensure that teams prioritize vulnerabilities in a way that’s optimized and productive...
The importance of prioritization
“…the fact that I could get through potentially thirty, forty, fifty, sixty, a hundred, two hundred different vulnerabilities and take care of that because I prioritized…”
When doing a manual hunt, a dev would start out with the quickest wins, sorting out the vulnerabilities that are the easiest to fix to maximize productivity. The ability to prioritize vulnerabilities and do bulk remediation is a major game changer in the DevOps world. If a developer tries to manually remediate vulnerabilities one by one, they would barely be able to address 20-25 vulnerabilities in a 10-hour shift. However, they can remediate exponentially more vulnerabilities with prioritization.
Using correlation & context to determine criticality
As co-host Mark will tell you, correlation is vital for getting insights from a particular CVE about what findings are correlated with it. For example, if you encounter a CVE with a high base score that the threat intelligence tool is informing you is a critical CVE to address, then you can look at the correlated findings to obtain an optimized use case.
However, there is a context associated with a finding associated with a particular CVE, like the severity reported by the threat intelligence tool. For example, you might get a critical from Snyk, but is it a critical threat to your AppSec process? You need to be able to normalize severity across tools so that everyone on the team is on the same page regarding threat severity.
It is also important to consider the additional pieces of metadata involved regarding the tools and techniques, alongside the context, like the application or sub-application module associated with a particular finding. For example, if it’s a high availability, high-impact confidentiality asset, you’d need to protect it more than a back-end data science application.
Your prioritization plan should be smart to understand these differences. With ArmorCode, we accommodate all these different variables with our finding score, aggregating things together to give you a nuanced score on an individual finding level, that along with the correlation insights can help you prioritize vulnerabilities effectively.
Approaching prioritization from a RiskOps perspective
Contextually speaking, if there is an internet-facing asset like infrastructure or application, it could be weighted differently because it’s facing the internet. But what if it’s a lighthouse box being used for threat analysis research? Now, even if it’s not facing the internet, it’s still a critical asset that needs to be prioritized. So, now you’d want to keep track of any notifications related to that asset as it’s contextually relevant and important for you.
While prioritizing findings and vulnerabilities for mediation, it also has to be populated with a RiskOps perspective. It is vital to know about the organizational, applicational, and modular level risk with a particular asset group within your organization so that you can focus resources and assign teams accordingly.
So, with the challenges of dealing with a large number of vulnerabilities, developers need to assess risk on a macro level and focus on prioritizing individual findings.
To learn more about prioritizing vulnerabilities, listen to our conversation in this episode of 𝙇𝙚𝙩'𝙨 𝙏𝙖𝙡𝙠 𝘼𝙥𝙥𝙎𝙚𝙘𝙊𝙥𝙨.