VULNERABILITY
ASSESSMENT: SECURITY SCANNING PROCESS
1.
VULNERABILITY IDENTIFICATION (TESTING)
The objective of this step
is to draft a comprehensive list of an application’s vulnerabilities. Security
analysts test the security health of applications, servers or other systems by
scanning them with automated tools, or testing and evaluating them manually.
Analysts also rely on vulnerability databases, vendor vulnerability
announcements, asset management systems and threat intelligence feeds to
identify security weaknesses.
2.
VULNERABILITY ANALYSIS
The
objective of this step is to identify the source and root cause of the
vulnerabilities identified in step one.
It
involves the identification of system components responsible for each
vulnerability, and the root cause of the vulnerability. For example, the root
cause of a vulnerability could be an old version of an open source library.
This provides a clear path for remediation – upgrading the library.
3. RISK ASSESSMENT
The
objective of this step is the prioritizing of vulnerabilities. It involves
security analysts assigning a rank or severity score to each vulnerability,
based on such factors as:
1.
Which systems are affected.
2.
What data is at risk.
3.
Which business functions are at risk.
4.
Ease of attack or compromise.
5.
Severity of an attack.
6.
Potential damage as a result of the vulnerability.
4. REMEDIATION
The
objective of this step is the closing of security gaps. It’s typically a joint
effort by security staff, development and operations teams, who determine the
most effective path for remediation or mitigation of each vulnerability.
Specific
remediation steps might include:
1.
Introduction of new security procedures, measures or tools.
2.
The updating of operational or configuration changes.
3.
Development and implementation of a vulnerability patch.
Vulnerability assessment cannot be a one-off activity. To be effective, organizations must
operationalize this process and repeat it at regular intervals. It is also
critical to foster cooperation between security, operation and development
teams – a process known as DevSecOps.
No comments:
Post a Comment