Vulnerability management

Last updated

Vulnerability management is the "cyclical practice of identifying, classifying, prioritizing, remediating, and mitigating" software vulnerabilities. [1] Vulnerability management is integral to computer security and network security, and must not be confused with vulnerability assessment. [2]

Contents

Vulnerabilities can be discovered with a vulnerability scanner, which analyzes a computer system in search of known vulnerabilities, [3] such as open ports, insecure software configurations, and susceptibility to malware infections. They may also be identified by consulting public sources, such as NVD, vendor specific security updates or subscribing to a commercial vulnerability alerting service. Unknown vulnerabilities, such as a zero-day, [3] may be found with fuzz testing. Fuzzing is a cornerstone technique where random or semi-random input data is fed to programs to detect unexpected behavior. Tools such as AFL (American Fuzzy Lop) and libFuzzer automate this process, making it faster and more efficient. Fuzzy testing can identify certain kinds of vulnerabilities, such as a buffer overflow with relevant test cases. Similarly, static analysis tools analyze source code or binaries to identify potential vulnerabilities without executing the program. Symbolic execution, an advanced technique combining static and dynamic analysis, further aids in pinpointing vulnerabilities. [4] Such analysis can be facilitated by test automation. In addition, antivirus software capable of heuristic analysis may discover undocumented malware if it finds software behaving suspiciously (such as attempting to overwrite a system file).

Correcting vulnerabilities may variously involve the installation of a patch, a change in network security policy, reconfiguration of software, or educating users about social engineering.

Project vulnerability management

Project vulnerability is the project's susceptibility to being subject to negative events, the analysis of their impact, and the project's capability to cope with negative events. [5] Based on Systems Thinking, project systemic vulnerability management takes a holistic vision, and proposes the following process:

  1. Project vulnerability identification
  2. Vulnerability analysis
  3. Vulnerability response planning
  4. Vulnerability controlling – which includes implementation, monitoring, control, and lessons learned

Coping with negative events is done, in this model, through:

Redundancy is a specific method to increase resistance and resilience in vulnerability management. [6]

Antifragility is a concept introduced by Nassim Nicholas Taleb to describe the capacity of systems to not only resist or recover from adverse events, but also to improve because of them. Antifragility is similar to the concept of positive complexity proposed by Stefan Morcov.

See also

Related Research Articles

<span class="mw-page-title-main">Risk management</span> Identification, evaluation and control of risks

Risk management is the identification, evaluation, and prioritization of risks, followed by the minimization, monitoring, and control of the impact or probability of those risks occurring.

In computer science, static program analysis is the analysis of computer programs performed without executing them, in contrast with dynamic program analysis, which is performed on programs during their execution in the integrated environment.

<span class="mw-page-title-main">Nassim Nicholas Taleb</span> Lebanese-American author (born 1960)

Nassim Nicholas Taleb is a Lebanese-American essayist, mathematical statistician, former option trader, risk analyst, and aphorist. His work concerns problems of randomness, probability, complexity, and uncertainty.

Vulnerabilities are flaws in a computer system that weaken the overall security of the system.

<span class="mw-page-title-main">Fuzzing</span> Automated software testing technique

In programming and software development, fuzzing or fuzz testing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program. The program is then monitored for exceptions such as crashes, failing built-in code assertions, or potential memory leaks. Typically, fuzzers are used to test programs that take structured inputs. This structure is specified, e.g., in a file format or protocol and distinguishes valid from invalid input. An effective fuzzer generates semi-valid inputs that are "valid enough" in that they are not directly rejected by the parser, but do create unexpected behaviors deeper in the program and are "invalid enough" to expose corner cases that have not been properly dealt with.

Application security includes all tasks that introduce a secure software development life cycle to development teams. Its final goal is to improve security practices and, through that, to find, fix and preferably prevent security issues within applications. It encompasses the whole application life cycle from requirements analysis, design, implementation, verification as well as maintenance.

Software assurance (SwA) is a critical process in software development that ensures the reliability, safety, and security of software products. It involves a variety of activities, including requirements analysis, design reviews, code inspections, testing, and formal verification. One crucial component of software assurance is secure coding practices, which follow industry-accepted standards and best practices, such as those outlined by the Software Engineering Institute (SEI) in their CERT Secure Coding Standards (SCS).

Database security concerns the use of a broad range of information security controls to protect databases against compromises of their confidentiality, integrity and availability. It involves various types or categories of controls, such as technical, procedural or administrative, and physical.

Dynamic program analysis is the act of analyzing software that involves executing a program – as opposed to static program analysis, which does not execute it.

<i>The Black Swan: The Impact of the Highly Improbable</i> 2007 book by Nassim Nicholas Taleb

The Black Swan: The Impact of the Highly Improbable is a 2007 book by Nassim Nicholas Taleb, who is a former options trader. The book focuses on the extreme impact of rare and unpredictable outlier events—and the human tendency to find simplistic explanations for these events, retrospectively. Taleb calls this the Black Swan theory.

<span class="mw-page-title-main">Supply chain risk management</span> Preventing failures in logistics

Supply chain risk management (SCRM) is "the implementation of strategies to manage both everyday and exceptional risks along the supply chain based on continuous risk assessment with the objective of reducing vulnerability and ensuring continuity".

In computer security, a threat is a potential negative action or event enabled by a vulnerability that results in an unwanted impact to a computer system or application.

Antifragility is a property of systems in which they increase in capability to thrive as a result of stressors, shocks, volatility, noise, mistakes, faults, attacks, or failures. The concept was developed by Nassim Nicholas Taleb in his book, Antifragile, and in technical papers. As Taleb explains in his book, antifragility is fundamentally different from the concepts of resiliency and robustness. The concept has been applied in risk analysis, physics, molecular biology, transportation planning, engineering, aerospace (NASA), and computer science.

<i>Antifragile</i> (book) 2012 book by Nassim Nicholas Taleb

Antifragile: Things That Gain From Disorder is a book by Nassim Nicholas Taleb published on November 27, 2012, by Random House in the United States and Penguin in the United Kingdom. This book builds upon ideas from his previous works including Fooled by Randomness (2001), The Black Swan (2007–2010), and The Bed of Procrustes (2010–2016), and is the fourth book in the five-volume philosophical treatise on uncertainty titled Incerto. Some of the ideas are expanded on in Taleb's fifth book Skin in the Game: Hidden Asymmetries in Daily Life (2018).

A cyberattack occurs when there is an unauthorized action against computer infrastructure that compromises the confidentiality, integrity, or availability of its content.

Endpoint security or endpoint protection is an approach to the protection of computer networks that are remotely bridged to client devices. The connection of endpoint devices such as laptops, tablets, mobile phones, and other wireless devices to corporate networks creates attack paths for security threats. Endpoint security attempts to ensure that such devices follow compliance to standards.

<span class="mw-page-title-main">American Fuzzy Lop (software)</span> Software fuzzer that employs genetic algorithms

American Fuzzy Lop (AFL), stylized in all lowercase as american fuzzy lop, is a free software fuzzer that employs genetic algorithms in order to efficiently increase code coverage of the test cases. So far it has detected dozens of significant software bugs in major free software projects, including X.Org Server, PHP, OpenSSL, pngcrush, bash, Firefox, BIND, Qt, and SQLite.

ISO 22300:2021, Security and resilience – Vocabulary, is an international standard developed by ISO/TC 292 Security and resilience. This document defines terms used in security and resilience standards and includes 360 terms and definitions. This edition was published in the beginning of 2021 and replaces the second edition from 2018.

Static application security testing (SAST) is used to secure software by reviewing the source code of the software to identify sources of vulnerabilities. Although the process of statically analyzing the source code has existed as long as computers have existed, the technique spread to security in the late 90s and the first public discussion of SQL injection in 1998 when Web applications integrated new technologies like JavaScript and Flash.

Project complexity is the property of a project which makes it difficult to understand, foresee, and keep under control its overall behavior, even when given reasonably complete information about the project system. With a lens of systems thinking, project complexity can be defined as an intricate arrangement of the varied interrelated parts in which the elements can change and evolve constantly with an effect on the project objectives. The identification of complex projects is specifically important to multi-project engineering environments.

References

  1. Foreman, Park (2010). Vulnerability management. Boca Raton: CRC Press. p. 1. ISBN   978-1-4398-0151-2. OCLC   444700438.
  2. Walkowski, Michał; Oko, Jacek; Sujecki, Sławomir (19 September 2021). "Vulnerability Management Models Using a Common Vulnerability Scoring System". Applied Sciences. 11 (18): 8735. doi: 10.3390/app11188735 .
  3. 1 2 Anna-Maija Juuso and Ari Takanen Unknown Vulnerability Management, Codenomicon whitepaper, October 2010 .
  4. Nabel Zaharudin, Muhammad; Haziq Zuhaimi, Muhammad; Hossain Shezan, Faysal (19 May 2024), "Poster: Enhancing Symbolic Execution with LLMs for Vulnerability Detection" (PDF), IEEE Symposium on Security and Privacy, retrieved 2024-11-27
  5. Marle, Franck; Vidal, Ludovic-Alexandre (2016). Managing Complex, High Risk Projects. London: Springer London. p. [ page needed ]. doi:10.1007/978-1-4471-6787-7. ISBN   978-1-4471-6785-3. OCLC   934201504.
  6. Nassim N. Taleb, Daniel G. Goldstein (2009-10-01). "The Six Mistakes Executives Make in Risk Management". Harvard Business Review. ISSN   0017-8012 . Retrieved 2021-12-13.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.