Software Vulnerability Management Lifecycle – Step by Step
Secunia Research turns indiscriminate information into verified intelligence
When a software vulnerability becomes publically known, Secunia Research investigates it and either rejects or verifies it. Once verified, the vulnerability is given a criticality rating and described in full. The description includes details about attack vectors, impact and recommended mitigating actions – available patches or possible workarounds.
The verified intelligence is then sent to our customers through our Software Vulnerability Management solutions: Vulnerability Intelligence Manager, Corporate Software Inspector and Personal Software Inspector
Assess: The vulnerability intelligence is correlated with our user’s environment
- New Vulnerability Verified
The first critical step enabling assessment is the timely access to accurate, verified intelligence about software vulnerabilities. By obtaining the intelligence from a comprehensive and reliable source you avoid wasting time on false positives, while ensuring your threat picture is complete.
- Asset Inventory / Discovery
This intelligence then needs to be correlated with the asset inventory of your environment, to identify vulnerable applications and to provide a map of the software vulnerabilities present in your infrastructure. This requires a continuously updated inventory, based on precise scans and mapping.
- Assess and Prioritize Risk
The correlation between the vulnerability intelligence and your asset inventory enables you to assess the risk to your environment and prioritize your mitigation efforts. Depending on the location of the vulnerable application in your infrastructure, and the data it potentially provides access to, assists you in prioritizing the urgency of fixing the issue. Risk assessment is further supported by tools to classify, group and filter assets, customize criticality ratings, and set up distribution lists and alerts. With numerous software vulnerabilities disclosed and verified every day, the ability to prioritize the issues is important.
Once you’ve identified and qualified the threat, the next step is mitigation – applying remediation or a work-around to deflect the threat. Supported by the assessment activities, classification and filters, the team responsible for mitigation can prioritize their resources and focus on the issues posing the most imminent threat to your organization.
Secunia Research always delivers information on possible solutions to the specific vulnerabilities. And for some mitigation activities, such as security patch management, dedicated technology can further support efficiency by providing the tools and content which can ensure patches are deployed effectively.
The final step is verification. For different areas of the organization, different verification methods can be applied. These can be ticketing systems, scanners or reports.
Regardless of which method you choose, this step is critical, first of all to ensure that mitigation is performed successfully, but also to enable visibility, transparency and accountability within your organization.
Manage workflows and receive reports continuously
The entire lifecycle needs to be underpinned by tools to support workflows and reporting. These tools must be flexible and able to be customized for use within your organization.
Flexibility is critical because every organization has its own processes and infrastructure, and needs to adhere to different sets of policies and regulations.
And start again …
By continuously repeating the steps in the lifecycle, you consistently reduce the attack surface for hackers and cybercriminals, and thereby reduce risk dramatically.
Our Solutions are Developed to Support the Entire Software Vulnerability Management Lifecycle
Software Vulnerability Manager Research facilitates effective reduction of the attack surface for cybercriminals, providing access to verified intelligence from Secunia Research at Flexera, covering all applications and systems across all platforms. It drives prioritization by handling intelligence, workflows, tickets and alerts, and describes the steps to mitigate the risk of costly breaches.
FlexNet Code Insight empowers organizations to take control of and manage use of open source software (OSS) and third-party components. It helps development, legal and security teams use automation to create a formal OSS strategy and policy that balances business benefits and risk management.