Micro Focus is now part of OpenText. Learn more >

You are here

You are here

How to freshen up your vulnerability management approach

Johnathan Hunt VP of Security, Indeed

The traditional approaches to vulnerability management include dynamic application security testing (DAST) and static application security testing (SAST), but are those enough?

The growing trend toward cloud-native applications has spawned a multitude of developer tools, shifting security left and giving developers the ability to identify and remediate their own vulnerabilities before SAST and DAST tools can be used. Furthermore, bug bounty programs are gaining popularity, often used as a supplement to traditional app sec programs.

But knowing which solution is best for your organization can be tricky, since there is no one-size-fits-all approach. Here's how to bolster your organization's vulnerability management approach and tooling.

Start by adopting DevSecOps

Vulnerability management is the recurring process of identifying, classifying, treating, mitigating, and reporting vulnerabilities. This process should not occur in isolation but rather throughout the entire software development lifecycle.

Doing so provides the opportunity to identify vulnerabilities prior to production release, decreases the need for remediation in later stages of development and testing, and reduces the likelihood of breach and compromise.

Expect to see vulnerability management start to shift left and the notion of DevSecOps to become common practice among tech companies moving forward. Respondents to GitLab’s "2020 Global DevSecOps Survey" reported they have already experienced multiple changes in their roles.

Some 28% say they're increasingly being included on cross-functional teams focused on security, 27% find themselves more involved in day-to-day development activities, and 23% are focusing more on compliance. Only 20% said that their role has not changed and that they do not expect it to change.

Define the scope, create a cadence

Arguably the most important step for a successful vulnerability management process is defining the scope that the process will cover. At GitLab, our security and infrastructure teams partnered to define a scope that would make sure all of our critical environments and systems were covered during deployment. (You can find the environments that are currently in scope for GitLab.com production here.) 

With our environments scoped out, we deployed our vulnerability scanner and began the vulnerability management process. 

Note that vulnerability management is a continuous feedback loop: Vulnerability scanners provide the data that is ingested and analyzed to remediate confirmed vulnerabilities. Feedback from this process feeds into preventative initiatives that further secure our environments.

We break down vulnerability management into the following steps:

  • Vulnerability scanning
  • Reporting/analysis
  • Ingestion
  • Validation
  • Remediation
  • Feedback

Additionally, organizations should set up a regular cadence to scan their environments to catch newly identified or created vulnerabilities. This ensures that the team remains proactive for catching and mitigating vulnerabilities, rather than always being reactive once a vulnerability has been exposed.

Some examples of secure scanners (each with a different focus) to help with this process include:

Adopt bug bounty programs

Bug bounty programs are another helpful vulnerability management method. Organizations can leverage bug bounties to supplement their app sec programs. Running a bug bounty program gets you ahead of any security vulnerabilities by opening up your source code to the public, and experienced security researchers can then work with you to find and solve any security issues before they become a problem.

In 2020, GitLab's bug bounty program yielded tremendous results. We received a total of 1,070 reports from 505 security researchers and awarded a total of $380,800 in bounties to 62 different researchers who reported valid vulnerabilities.

We also resolved 259 reports, 131 of which we made public. More than 163 security researchers submitted multiple reports, which indicates that their first engagement with us was a positive one.

To maintain a successful bug bounty program, you need to define and communicate a manageable program scope, allocate dedicated resources to program management, and ensure prioritization to the remediation of findings.

You should also listen to stakeholder feedback and be responsive in real time to reports; this will help you improve hacker engagement, streamline processes, decrease fix times, and even perhaps unveil new ways to innovate.

For smaller security teams, embracing automation will help to scale your bug bounty program. Finally, you should always be transparent about security issues, because this will help establish trust among your user base and set a positive example for other organizations in your industry that might be considering their own bug bounty program.

Get proactive with vulnerability management

There are many benefits to shifting vulnerability management left as your organization adopts a DevSecOps strategy, but knowing which practices and tools to use may require some trial and error—and a deep understanding of the ways in which they'll be applied.

An effective strategy will allow you to proactively protect your environment against new vulnerabilities and will greatly reduce your risk and volume of incidents. Finally, a proactive strategy, when paired with transparency, will help build trust with your user base and allow you to be a model for other organizations in your industry.

Keep learning

Read more articles about: SecurityApplication Security