Vulnerability Management (VM) is one of the most important exercises for keeping a system secure. In his post, I would sum up the different phases of Vulnerability Management. But before that, I would like to clarify the distinction between Vulnerability Management and Penetration Testing (PT).
Difference between VM and PT
VM is the practice of identifying known vulnerabilities in a system, whereas PT exploits these vulnerabilities. In simplest terms, vulnerabilities are nothing but inherent weaknesses in the system that may get exploited if they are not scanned, assessed and remediated. And this exercise of scanning, assessing and remediating these weaknesses (read vulnerabilities) is called Vulnerability Management.
Penetration testing is the practice of exploiting these weaknesses. For e.g. a system did not auto-update itself of the latest patch released by the system and hence left a ‘vulnerability’ open. When a penetration tester will perform penetration testing, he will try to exploit these weaknesses and penetrate the system. Penetration testing doesn’t end there. A penetration tester is also responsible for identifying other loopholes in the system architecture like static memory allocation, hardcoded password, XSS, etc.
There are several tools for Vulnerability Management and maintaining its lifecycle. Regardless of the tool, there are 6 phases of VM Lifecycle:
- Discover: Ever heard ‘You can’t secure what you can’t see’? This is that phase. The Discover phase of VM requires that all the assets are discovered and logged in an asset management tool. Most of the VM tools in the market will allow you to discover both host and cloud-based assets.
- Organize Assets: Managing and organizing assets are as important as discovering them. Who keeps the track of new laptop provided to the employee who joined last week? Who inventories the laptop of the employee who will be leaving next week? The simplest way to manage these assets is to create asset groups and asset tags and assign a team to manage these assets.
- Assess: The objective of the assessment phase is to scan and find vulnerabilities discovered in the Discover phase.
But against whom do we assess if our system is working properly or not?
All the VM tools in the market come with their own database of vulnerabilities against whom our system will be checked. The database curates vulnerabilities from different sources like Common Vulnerabilities and Exposures database, BugCrowd database, etc. - Report: After the system is scanned and vulnerabilities are collected. they are presented in a reporting format with priorities listed so that they can be actioned upon.
- Remediate: The remediation tool will help prioritize the vulnerabilities and remediate them. The remediation of vulnerabilities is nothing but patching the system or updating a library to mitigate these vulnerabilities.
- Verify: The verify phase ensures that the patching performed in the remediation phase has successfully worked and no vulnerabilities are lingering on the system.
Vulnerability scanning should be performed on a regular basis, as frequently as possible. Tools like Qualys do provide the ability to perform these on a daily basis as well.
Nice post, nicely differentiated between VM and Pen testing.