Vulnerability
assessment: Security scanning process
1. Vulnerability identification (testing)
The objective of this
step is to draft a comprehensive list of an application’s vulnerabilities.
Security analysts test the security health of applications, servers or other
systems by scanning them with automated tools, or testing and evaluating them
manually. Analysts also rely on vulnerability databases, vendor vulnerability
announcements, asset management systems and threat intelligence feeds to
identify security weaknesses.
2. Vulnerability analysis
The objective of this
step is to identify the source and root cause of the vulnerabilities identified
in step one.
It involves the
identification of system components responsible for each vulnerability, and the
root cause of the vulnerability. For example, the root cause of a vulnerability
could be an old version of an open source library. This provides a clear path
for remediation – upgrading the library.
3. Risk assessment
The objective of this
step is the prioritizing of vulnerabilities. It involves security analysts
assigning a rank or severity score to each vulnerability, based on such factors
as:
1.
Which systems are
affected.
2.
What data is at risk.
3.
Which business functions
are at risk.
4.
Ease of attack or
compromise.
5.
Severity of an attack.
6.
Potential damage as a
result of the vulnerability.
4. Remediation
The objective of this
step is the closing of security gaps. It’s typically a joint effort by security
staff, development and operations teams, who determine the most effective path
for remediation or mitigation of each vulnerability.
Specific remediation steps
might include:
1.
Introduction of new
security procedures, measures or tools.
2.
The updating of
operational or configuration changes.
3.
Development and
implementation of a vulnerability patch.
Vulnerability assessment
cannot be a one-off activity. To be effective, organizations must
operationalize this process and repeat it at regular intervals. It is also
critical to foster cooperation between security, operation and development
teams – a process known as DevSecOps.
No comments:
Post a Comment