In Depth
How SCAP Brought Sanity to Vulnerability Management
Orbitz CISO Ed Bellis explains how the proliferation of vulnerability assessment products and services has created chaos, and how SCAP may be the answer.
By Ed Bellis, Orbitz CISO
May 11, 2009 — CSO —
It's safe to say that vulnerability assessment tools have become commonplace within most security teams' toolboxes. As security programs mature, they often begin to look at ways to automate tasks that are mundane and repetitive. [Related: How to Handle Security Patches With Sanity]
These applications have become better at identifying common mistakes within Web applications, patch management, configurations, systems and database hardening.
But with the proliferation of vulnerability assessment products and services, we have begun to create a different problem. [Related: The Failure of Security Investments]
Any organization that maintains a reasonably sized infrastructure or Web presence can easily end up with many different applications, services and tools to maintain and monitor their vulnerabilities. These tools include V.A. scanners to identify security bugs within applications, databases, hosts and networks.
Vulnerability management programs may also employ software-as-a-service (SaaS) solutions to assist in vulnerability identification through both automated tools and manual testing.
Static source code analysis tools add to the internal store of vulnerabilities. Want more data? How about adding the results of your penetration tests?
This vulnerability data may include Web application vulnerabilities -- technical vulnerabilities missed by VA scanners, social engineering exploits through a lack of processes or awareness and logic flaws.
A Mountain of Data
As we begin to find out, in some cases, maturity can bring complexity and more data! But more data is just the tip of the iceberg. How does a CISO connect all of this data? How does management understand what issues and bugs should be prioritized when conducting remediation?
Once prioritized, how do we then migrate these bugs to our bug -- tracking, change -- management and trouble ticketing systems?
Your problem is not only managing the mountain of data you're sitting on, it now includes managing all of this data described in different ways -- managing vulnerability assessment reports that contain overlapping bugs or false positives. Identifying your bugs and problems are no longer the primary issues. You now have to do something about them.
In order to get these vulnerabilities closed, the security teams need to start sorting and moving this data around and getting the appropriate issues in front of management, developers and engineers.
You've taken the step to add more tools to your management arsenal to eliminate the mundane and repeatable tasks only to have your team stuck with enough mundane and repeatable tasks to occupy a small army of security professionals!
So when taking on this problem, I set out with six basic requirements:
SCAP
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
Digital ID World
-
September 14 - 16, 2009Rio Hotel and CasinoRegister Now »
Las Vegas, Nevada
(ISC)2 members can earn up to 24 CPE Credits!
Reference priority code ONLINE and attend the full conference for the reduced rate of $995!
