This is the second part of my previous post (https://secvision22.wordpress.com/2016/05/08/vulnerability_management_pt-_1_-_a_custom_approach/). In this post I’ll be talking about the process of detecting vulnerabilities in applications and infrastructure.
When doing a vulnerability assessment, I usually split it in two sections, application findings and infrastructure findings. The reason is that they’re two different things, and in a enterprise wide environment you will certainly have different teams taking care of these resources. It is very important to address the issues to the right people if you are interested in a functional vulnerability management process.
Keep in mind that automation of this detection process is very important, taking care of large environments is an arduous task and using tools in your favor is key, even if by doing so you may lower the detailing of what you find. Summarizing the tasks of this step, we can list the main objectives as:
- Setting-up automated tool-assisted scans. Infrastructure and application;
Tools like Nessus, Acunetix, NMAP and many other must be used in order to automate as much as possible the vulnerability assessment.
- Scheduling manual testing to critical business related environments;
Systems that are critical to the business or the ones that are sensible to scanning tools must be treated in a different way. Whether it is important to do some deep testing or not bringing them down, you must list and be aware of them.
- Maintaining a up-to-date security newsletter base;
Subscribe to vendors and security newsletters to be in touch of the new critical patches or that nasty zero-day vulnerabilities. CVE offers a free newsletter subscription right here: “https://cve.mitre.org/news/newsletter.html”
- Safely exploit critical vulnerabilities to find out it’s full potential.
Manually test any critical or potentially critical vulnerability to find out it’s full potential. Some system’s vulnerabilities may lead to access to the company’s network and other systems, it’s a pay for one get two type of problem.
As for the tools, you will find a lot of stuff in this area, the ones that are free will mostly do only specific things and you may run into trouble trying to fulfill the gaps, as you will find yourself running multiple tools to achieve one goal. Of course there are a few paid professional tools that will do the job just fine as well manage all the results you’ll get in one console.
With your favorites tools in hand, automated scans and the results coming in, you may find yourself in a sea of documentations an vulnerabilities. At this point you’ll realize that you probably won’t be able to handle all the reports and most importantly relate all the information. But fear not, this problems should be addressed in another section of the vulnerability management, at the GV3 Manage Vulnerabilities. Software like Nessus, Nexpose and Acunetix are mostly the first pick if you are looking into automated scan tools, these are top commercial tools used worldwide and personally speaking, the best around.
Besides having the tools it’s important to define which is important to you to look after. For example, if it is important to your organization that little to none information about it’s infrastructure is published, your analysis should focus on the footprint step of the vulnerability assessment. I strongly recommend reading OWASP’s Testing Guide, this is an huge document that addresses all the steps you should take and what you should be looking for, it can be found at:
This is one of the most complete and extensive guides that I could ever find, it will surely provide you all the directives you’ll need to start testing.
After setting your testing script, scheduling the automated testing and mapping the systems you must give an special attention, you are all ready to move forward and map the vulnerable systems. Relating all the data you get and prioritizing the systems that the responsible teams should focus their efforts in fixing, is whole different subject and is the main derivable of the vulnerability management process but this is material for a new post.
To conclude this post I would like to point that tools may seen very important to a successful vulnerability management process but in reality, the most important thing a process like this should deliver is to specify the vulnerabilities that all the effort must be focused on, based on it’s risk and the company goals.