An AppSec Perspective on Vulnerability Management
Vulnerability management has always been the cornerstone of cybersecurity practices, as AppSec professionals need to detect and fix vulnerabilities and make the software more secure. However, how can you know when a vulnerability has been mitigated?
In the seventh episode of Let’s Talk AppSecOps, Mike Lambert, Vice President of Products at Armor Code, and Luis Guzman, application security and infrastructure security extraordinaire, talk about the vulnerability management process and how to ensure that a vulnerability has been remediated using a proper workflow.
Establishing a triaging workflow
Organizations rely on various security tools that detect vulnerabilities within the pipeline or infrastructure. It is essential to establish a triaging workflow for detecting and fixing vulnerabilities. While the process may differ for different organizations, generally, it involves finding the vulnerability, defining its criticality, and assigning it to a particular team of developers. So, you must establish a consistent framework that everyone agrees upon and follow up with a workflow to ensure everyone is on the same page.
Upon detecting a vulnerability, it is vital to assess its risk before taking further action. Is it a low-risk vulnerability that should be reported as a false positive, or do you need to resolve it? If it’s a code-level issue, then it’s essential to assign the vulnerability so that it can be remediated. There are multiple ways to assign a vulnerability, like creating a ticket or sending it to the appropriate team and notifying them on Slack. You may also have to check whether you have access to the right projects while working on Jira and assigning vulnerabilities.
How ArmorCode helps you automate the workflow
Vulnerability management can be challenging as it is important to determine whether the vulnerability was actually fixed. Also, you may want to document the process of vulnerability remediation. Therefore, there has to be more visibility in the process of remediating tickets and fixing vulnerabilities, as it makes everyone on the team accountable.
Currently, many tools are available that can do parts and pieces of the vulnerability management process. However, ArmorCode allows you to customize the workflow through a no-code automation framework to streamline the specifics of your organization. For example, you could do the ticketing in Jira upon detecting a vulnerability. But if this is a high-profile threat, you might also want to inform developers on Slack automatically, as most developers may not check out the tickets immediately. You could also set the appropriate criticality on the ticket as it is created.
Vulnerability management: An AppSec perspective
From an AppSec perspective, you want a clear understanding of all the vulnerabilities and findings the team is working on to remediate today. While you may not be able to make a DAST scan immediately, a scan from Snyk or some SAST analysis can reveal if a particular finding has been mitigated.
Also, it is vital to keep track of the SLA connected to that ticket and the time taken by the developer to fix the issue. You’ll also need automated notifications to monitor the vulnerability management process while dealing with multiple vulnerabilities.
These various strategies help you streamline your vulnerability management process and ensure that the vulnerabilities are fixed.
To learn more about vulnerability management, listen to the entire conversation between Mark and Luis in this episode of Let’s Talk AppSecOps.