What is Vulnerability Management?
Note from SafeStack: This is the first post in our Consultant Series sharing security advice, which we hope will be useful for anyone out there looking to learn about IT security.
If you’re involved in tech or risk at your organization, you might have heard the term “vulnerability management” and wondered what it means. How important is it? How do I do it? Let’s dive in and find out!
Risk 101
There are three concepts to cover quickly. Risk is often described by a formula that goes:
risk = vulnerability × impact × likelihood
Vulnerabilities are something that put you, your information, or your business at risk. A vulnerability poses a higher risk if the impact (to your wallet, or your reputation) is high, or if there is a high chance of it happening.
You can manage that risk by fiddling with any of these three components. Let’s use an example.
There’s a risk that if you fall off your bike on the way to work, you’ll hurt your head. Human heads are very soft compared to a road, and therefore vulnerable. You can manage the vulnerability by wearing a helmet. You can reduce the impact by having health insurance (or living in a country with free healthcare). You can reduce the likelihood by taking a safer route.
Vulnerability management is one part of risk management. Risk management takes into account all three aspects. Vulnerability management is exactly what it sounds like — managing the vulnerability side of risk!
How do I manage vulnerabilities in my organization?
In the technology realm, a vulnerability might be a library that you use in your web application to let people upload profile pictures. If there’s a bug in that library, someone could upload a photo and try to break your website, or steal data. You’d manage that vulnerability by keeping an eye out for new versions of that library so that if a security patch is released, you can update quickly and avoid any nasty problems.
There are some key steps here:
- Know: Create a list of the technologies, frameworks, and libraries you use. Include their version numbers, and where you got them from. Keep it up to date!
- Detect: Develop some processes to detect when a new version comes out. This could be by watching mailing lists, Twitter feeds, or using tools in your build pipeline that detect old versions.
- Respond: Respond by understanding the severity of the issue, and then taking action to mitigate the vulnerability in a timely manner.
Preparing to Respond
Responding well requires preparation. You’ll want to have a process that you can use to figure out the impact to your organization, and the likelihood of it happening. The process will then help you say “given this level of risk, here’s how quickly we need to address it”.
You’ll also need to make sure someone or something in your organization is keeping track of your technologies, and keeping a watch for security issues that pop up. Easier said than done, but certainly doable!
That’s a quick overview of what managing vulnerabilities really means. It’s an important aspect in keeping yourself and your business healthy. If you have any tips, share them in the comments below.
If you’d like to check out a tool my company has created to make vulnerability management really easy, head over to dfend.io!
