1. Initial Preparation
In this stage, the team decides the scope and goals of vulnerability testing. This involves:
- Identifying protected assets and equipment and mapping out all endpoints.
- Determining the business value of each asset and the impact if it is attacked.
- Identifying access controls and other security requirements of each system.
- Determining if systems hold sensitive data, and how sensitive data is transferred between systems.
- Recording a baseline of services, processes, and open ports on protected assets.
- Determining operating systems and software deployed on assets.
This information can help security teams understand the attack surfaces and the most severe threat scenarios, and develop a remediation strategy.
2. Vulnerability Assessment Testing
In this stage, the team runs automated vulnerability scans on target devices and environments. If necessary, they use manual tools to investigate the security posture of a system.
In order to automate this stage and make it more efficient, teams will typically rely on one or more vulnerability databases, vendor security advisories, and threat Intelligence feeds.
A single test can take anywhere from a minute to several hours, depending on the size of the target system and the type of scan.
3. Prioritize Vulnerabilities
At this stage, the team removes false positives from vulnerability scanning results and prioritize vulnerabilities according to several factors. These can include:
- Severity score provided by a vulnerability database
- The business impact if a vulnerability is exploited
- Sensitive data that might be at risk
- The ease of exploiting the vulnerability
- How long the vulnerability has been in place
- The ability to perform lateral movement from this system to other sensitive systems
- The availability of a patch and the effort needed to deploy it
4. Create a Vulnerability Assessment Report
At this stage, the team creates a unified report showing vulnerabilities found in all protected assets, with a plan for remediating them.
For medium to high risk vulnerabilities, the report should provide information about the vulnerability, when it was discovered, which systems it affects, the potential damage if attackers exploit it, and the plan and effort required to remediate it.
Where possible, the team should also provide a proof of concept (PoC) demonstrating how each critical vulnerability could be exploited.
5. Continuous Vulnerability Assessment
Vulnerability scans provide a point-in-time snapshot of vulnerabilities that exist in an organization's digital infrastructure. However, new deployments, configuration changes, newly discovered vulnerabilities, and other factors can result in new vulnerabilities. Because vulnerabilities are not static, vulnerability management should also be a continuous process.
Software development teams should incorporate automated vulnerability assessment into their continuous integration and deployment (CI/CD) pipeline. This allows vulnerabilities to be identified and fixed as early as possible in the software development lifecycle (SDLC), eliminating the need to develop and release patches for vulnerable code.
However, because this process cannot catch all vulnerabilities, and many vulnerabilities occur in legacy or third-party systems, it must be complemented by continuous vulnerability scans of production systems.