How To Prioritize Vulnerabilities In AppSec
The DevOps world is all about frequent sprints and continuous delivery, and teams just can’t keep up with the tidal wave of vulnerabilities and findings. With the move to cloud and constantly expanding threat surfaces, it is difficult for teams to decide which vulnerabilities to prioritize. It is especially difficult if you don’t have an AppSecOps platform to streamline these decisions.
In the eighth episode of Let’s Talk AppSecOps, Mark Lambert, Chief Product Officer of ArmorCode, engages with Senior Solutions Engineer Luis Guzman to provide insights about how to ensure that teams prioritize vulnerabilities in a way that’s optimized and productive.
The importance of prioritization
“…the fact that I could get through potentially thirty, forty, fifty, sixty, a hundred, two hundred different vulnerabilities and take care of that because I prioritized…”
Luis Guzman shares his experience as a developer scanning for vulnerabilities. While doing a manual hunt, a developer would start with the quickest wins, sorting out the vulnerabilities that are the easiest to fix to massively boost their productivity. The ability to prioritize vulnerabilities and do bulk remediation is a major game changer in the DevOps world. If a developer tries to manually remediate vulnerabilities one by one, they could barely do 20-25 vulnerabilities in a 10-hour shift. However, they can remediate exponentially more vulnerabilities with prioritization.
Using correlation and context to determine criticality
According to Mark, correlation is vital for getting insights from a particular CVE about what findings are correlated with it. For example, if you encounter a CVE with a high base score that the threat intelligence tool is informing you is a critical CVE to address, then you can look at the correlated findings to obtain an optimized use case.
However, there is a context associated with a finding associated with a particular CVE, like the severity reported by the threat intelligence tool. For example, you might get a critical from Snyk but is it a critical threat for your AppSec process? You need to be able to normalize severity across tools so that everyone on the team is on the same page regarding threat severity.
It is also important to consider the additional pieces of metadata involved regarding the tools and techniques, alongside the context, like the application or sub-application module associated with a particular finding. For example, if it’s a high availability, high-impact confidentiality asset, you’d need to protect it more than a backend data science application.
Your prioritization plan should be smart to understand these differences. With ArmorCode, we strive to accommodate all these different variables with our finding score, aggregating things together to give you a nuanced score on an individual finding level, that along with the correlation insights can help you prioritize vulnerabilities effectively.
Approaching prioritization from a RiskOps perspective
Contextually speaking, if there is an internet-facing asset like infrastructure or application, it could be weighted differently because it’s facing the internet. But what if it’s a lighthouse box being used for threat analysis research? Now, even if it’s not facing the internet, it’s still a critical asset that needs to be prioritized. So, now you’d want to keep track of any notifications related to that asset as it’s contextually relevant and important for you.
While prioritizing findings and vulnerabilities for mediation, it also has to be populated with a RiskOps perspective. It is vital to know about the organizational, applicational, and modular level risk with a particular asset group within your organization, so that you can focus resources and assign teams accordingly.
So, with the challenges of dealing with a large number of vulnerabilities, it is essential for developers to assess risk on a macro level and focus on prioritizing individual findings.
To learn more about prioritizing vulnerabilities, listen to the full conversation between Mark and Luis in this episode of Let’s Talk AppSecOps.