HackerOne

Vulnerability Management | A Complete Guide and Best Practices

complete guide

We explain what vulnerability management is and why it matters, and we give a step-by-step guide to implementing a vulnerability management process.

What is vulnerability management?

Vulnerability management is the process of continuously identifying, categorizing, and remediating technology system security vulnerabilities. Vulnerability management is a critical component of maintaining security.

Why Is Vulnerability Management Important?

Vulnerabilities are weaknesses in an organization's internal controls that cybercriminals can exploit to access sensitive corporate data or disrupt systems.

Organizations must manage vulnerabilities because of increasing cyber-attacks. Organizations discover thousands of vulnerabilities every day, requiring them to prioritize by severity, patch applications, and reconfigure their network security settings. 

Organizations reported a total of 18,103 vulnerabilities in 2020—the highest number ever registered in one year—at an average rate of 50 per day, according to the US National Institute of Standards and Technology and its National Vulnerability Database. 

Fifty-seven percent (10,342) of vulnerabilities in 2020 were classified as critical or high severity, more than the total number of vulnerabilities recorded in 2010 (4,639).

Managing vulnerabilities also helps organizations comply with regulations and standards, such as the General Data Protection Regulation (GDPR) now in place across the EU and UK. 

The main types of vulnerabilities include the following:

  • Network vulnerabilities: Malicious actors use weaknesses in hardware, software, or operational processes, such as out-of-date firewall policies and poorly configured Wi-Fi access points, to gain access to the network.
  • Operating system vulnerabilities: Malicious actors use these bugs in operating system software to access the other parts of an asset or network to cause damage.
  • Application vulnerabilities: Cybercriminals use these flaws to compromise an application's security, putting anyone using those applications at risk.
  • Configuration vulnerabilities: Cybercriminals exploit these flaws that stem from incomplete installations, poorly executed system changes, and default deployments to attack networks and devices. 

How Does Vulnerability Management Relate to Vulnerability Assessments and Vulnerability Scans?

Managing vulnerabilities helps organizations avoid unauthorized access, illicit credential usage, and data breaches. This ongoing process starts with a vulnerability assessment

A vulnerability assessment identifies, classifies, and prioritizes flaws in an organization's digital assets, network infrastructure, and technology systems. Assessments are typically recurring and rely on scanners to identify vulnerabilities. 

Vulnerability scanners look for security weaknesses in an organization's network and systems. Vulnerability scanning can also identify issues such as system misconfigurations, improper file sharing, and outdated software. 

Most organizations first use vulnerability scanners to capture known flaws. Then, for more comprehensive vulnerability discovery, they use ethical hackers to find new, often high-risk or critical vulnerabilities.

What Tools Can Help with Vulnerability Management?

Organizations have access to several vulnerability management tools to help look for security gaps in their systems and networks.

Qualys Vulnerability Management

Pros

  • Affordable
  • Offers accurate, automated scanning
  • Strong automation features

Cons

  • False positives
  • Slow endpoint scanning speeds

Tenable.sc

Pros

  • Advanced analytics
  • Real-time metrics
  • Continuous visibility
  • Compliance monitoring

Cons

  • May be too challenging for small to midsize organizations to maintain
  • May be too expensive for smaller organizations

Tripwire IP360

Pros

  • Prioritizes vulnerabilities
  • Suggests remediation approaches

Cons

  • Can be difficult to implement and use

GFI LanGuard

Pros

  • Intuitive interface
  • Patch management for third-party software, operating systems, and web browsers

Cons

  • Issues with detecting vulnerabilities
  • Can be difficult to read on-screen report previews

How Do Hackers Fortify the Vulnerability Management Process? 

Increasing cyberattacks force organizations to find ways to mitigate risk and improve their security profiles to stay ahead of malicious actors. An IDC Research Services survey finds 78% of IT leaders aren't confident in their organization's security and have increased cybersecurity funding for 2021. 

Many organizations turn to the hacker community to help prevent cyberattacks. Organizations benefit from hackers because hackers approach detecting vulnerabilities by thinking like cybercriminals figuring out how they might access systems and wreak havoc. Hackers find vulnerabilities in infrastructure, applications, and open-source code so organizations can fix the issues before cyberattacks occur. 

True vulnerability management combines software tools and security experts to reduce risk. Organizations use hackers to enhance the effectiveness of vulnerability scanners or vulnerability management tools. Their experience, expertise, and creativity allow them to uncover security flaws that scanning devices miss.

How Are Vulnerabilities Defined?

Common Vulnerabilities and Exposures (CVEs), Common Weakness Enumeration (CWE), and the Common Vulnerability Scoring System (CVSS) help define software weaknesses and vulnerabilities.

CVE is a catalog of known security vulnerabilities and exposures. The CVE system offers a way for organizations to share information about vulnerabilities and exposures publicly. Each vulnerability receives a unique ID number that gives users a reliable way to tell one vulnerability from another.  

CWE is a community-developed list of software and hardware weaknesses that may lead to vulnerabilities. The CWE refers to vulnerabilities while the CVE pertains to the specific instance of a vulnerability in a system or product.

The CVSS is an open industry standard that assesses a vulnerability's severity. The standard assigns a severity score from 0.0 (the lowest risk) to 10.0 (the highest risk), so organizations can prioritize their remediation efforts effectively.

Should Organizations Publicly Report Vulnerabilities Researchers Discover?

Some cybersecurity experts say researchers should immediately disclose a discovered vulnerability publicly, providing specific information about the vulnerability's exploitability. These experts believe this process results in faster patching and more secure software. 

Others are against public reporting, arguing that malicious actors will then further exploit those flaws. They favor private vulnerability disclosure, allowing each organization decides whether to publish the vulnerability details. 

Responsible disclosure aims for a compromise between these approaches. With responsible disclosure, a researcher delivers a confidential report to the organization and then publishes the details once a patch is available. An organization provides a standard timeframe to remediate the bug but may ask for an extension because of extenuating circumstances. The report will then remain private until the security team patches the flaw. If the organization isn't responsive or never patches the vulnerability, the hacker may publicly disclose the flaw.

What Are the Steps in Vulnerability Management?  

There are five stages in the vulnerability management process:

  1. Discover: Organizations must identify vulnerabilities that could negatively impact their systems. Hackers discover external attack surfaces cybercriminals can exploit. Once an organization understands its attack surfaces, it can use a Vulnerability Disclosure Program (VDP) to collect the vulnerabilities gathered by hackers or concerned third parties. An organization may also set up a bug bounty program to reward hackers who find vulnerabilities.
     
  2. Assess: After discovering the vulnerabilities, it's time to evaluate their severity to prioritize security efforts and reduce risks faster. Hackers can choose a blanket severity of low, medium, high, or critical or use the CVSS calculator to input specific information and calculate an exact score.
     
  3. Remediate: Organizations patch the most severe vulnerabilities first. Organizations may want to reduce access to certain risk areas or increase monitoring to prevent cybercriminals from exploiting vulnerabilities until they permanently increase protections or apply patches. Organizations should repeat this stage as they identify new vulnerabilities.
     
  4. Verify: Organizations perform additional scans to determine if they remediated the vulnerabilities successfully.
     
  5. Refine: The best way for organizations to refine their vulnerability management programs is to benchmark against peers and look for emerging threats. Following best practices can also help organizations improve their vulnerability management processes.

What Are Some Challenges in Vulnerability Management?

To stay ahead of cybercriminals, organizations must understand the challenges of managing vulnerabilities. These include the following:

  • Prioritizing vulnerabilities improperly: Since security teams can't patch every bug, the list of vulnerabilities increases with each new scan. Large organizations can have thousands of flaws at any time, so determining which to prioritize and fix immediately is challenging.
     
  • Vulnerability scanner problems: Scanners miss some vulnerabilities, and they generate false positives, so the security team has to intervene, interpret the results, and determine an organization's true security status.
     
  • Overwhelming volume of vulnerabilities in reports: Vulnerability scan reports can be long and extensive. Each report includes thousands of flaws and numerous false positives. Consequently, a security team cannot address all the report's action items, undermining the organization's ability to keep its systems patched.

What Are the Best Practices in Vulnerability Management?

To stay current with the latest changes in software, identify new systems added to networks, and uncover new vulnerabilities, an organization should follow these best practices.

Implement a Vulnerability Management Strategy

This allows an organization to develop and enhance visibility into its infrastructure, helping ensure the organization can respond effectively to security risks. A successful strategy includes security controls that combine people, processes, and technology.

Deploy the Right Tools

There are many vulnerability scanning tools on the market, but some are better than others. Before choosing a scanning tool, organizations should consider the following criteria:

  • Ensure Usability: The tool should suit all users, be easy to install and offer automation to perform repetitive actions.
  • Determine False-Positive Rates: Organizations should determine the false-positive rates of the tools they're considering. Those that trigger false alarms can cost organizations time and money as their security teams will then have to perform manual scanning.
  • Define Metrics: The best scanning tools offer comprehensive reports that provide accurate information about identified vulnerabilities, an overall security overview, and a trends analysis. 
  • Scan Frequently: To keep new vulnerabilities out of their networks, organizations must regularly scan to discover and remediate those flaws.
  • Remediate Vulnerabilities Promptly: Organizations need to classify vulnerabilities according to risk, severity, and impact, and remediate the most critical flaws first—within 48 hours for highly critical vulnerabilities and within a week for non-critical flaws.
  • Employ Automation: Organizations should implement systems and technologies to automate processes to reduce attack surfaces. 

How Can HackerOne Help with Vulnerability Management?

HackerOne Assessments provides on-demand, continuous security testing for your organization. The platform allows you to track progress through the kickoff, discovery, testing, retesting, and remediation phases of an engagement. Whether you’re looking to meet regulatory standards, launch a product, or prove compliance, we’ll help your security teams find and close flaws before cybercriminals exploit them.

HackerOne delivers access to the world’s largest and most diverse community of hackers in the world. Contact us to learn more.

 

The 8th Annual Hacker-Powered Security Report

HPSR blog ad image