Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

How SCAP Brought Sanity to Vulnerability Management

Orbitz CISO Ed Bellis explains how the proliferation of vulnerability assessment products and services has created chaos, and how SCAP may be the answer.
Page:

It's safe to say that vulnerability assessment tools have become commonplace within most security teams' toolboxes. As security programs mature, they often begin to look at ways to automate tasks that are mundane and repetitive.

These applications have become better at identifying common mistakes within Web applications, patch management, configurations, systems and database hardening.

But with the proliferation of vulnerability assessment products and services, we have begun to create a different problem.

Any organisation that maintains a reasonably sized infrastructure or Web presence can easily end up with many different applications, services and tools to maintain and monitor their vulnerabilities. These tools include VA scanners to identify security bugs within applications, databases, hosts and networks.

Vulnerability management programs may also employ software-as-a-service (SaaS) solutions to assist in vulnerability identification through both automated tools and manual testing.

Static source code analysis tools add to the internal store of vulnerabilities. Want more data? How about adding the results of your penetration tests?

This vulnerability data may include Web application vulnerabilities -- technical vulnerabilities missed by VA scanners, social engineering exploits through a lack of processes or awareness and logic flaws.

A Mountain of Data

As we begin to find out, in some cases, maturity can bring complexity and more data! But more data is just the tip of the iceberg. How does a CISO connect all of this data? How does management understand what issues and bugs should be prioritised when conducting remediation?

Once prioritised, how do we then migrate these bugs to our bug -- tracking, change -- management and trouble ticketing systems?

Your problem is not only managing the mountain of data you're sitting on, it now includes managing all of this data described in different ways -- managing vulnerability assessment reports that contain overlapping bugs or false positives. Identifying your bugs and problems are no longer the primary issues. You now have to do something about them.

In order to get these vulnerabilities closed, the security teams need to start sorting and moving this data around and getting the appropriate issues in front of management, developers and engineers.

You've taken the step to add more tools to your management arsenal to eliminate the mundane and repeatable tasks only to have your team stuck with enough mundane and repeatable tasks to occupy a small army of security professionals!

Page:

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: ISO, Orbitz

Comments

1

David Oliva

Mon 16/08/2010 - 05:16

Mr. Bellis:

I am pursuing research in the area of acceptance of the SCAP standards in private industry. The books that define SCAP are free and are located at http://csrc.nist.gov/publications/PubsSPs.html.

In particular, SP 800-126, SP 800-117, and SP 800-70.
As of today 15 Aug 2010 there are 36 SCAP complian products as advertised at http://nvd.nist.gov/scapproducts.cfm.

Please continue to add comments on this blog.

David Oliva

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: security, Security Content Automation Protocol, vulnerability assement
Latest Blog Posts
Whitepapers
  • SOA Best Practices and Design Patterns
    By learning from the experiences of those organisations that have been through the process and looking at the standard best practices of large‐scale technology implementations, success can come earlier and more dramatically. Read more now.
    Learn more »
  • Managing Trust - Data protection and compliance for financial services
    If it’s becoming something of a cliché that the financial services industry is one of the world’s most heavily regulated, that’s largely because it’s true. Data retention and archiving, authentication and authorisation, data loss prevention and privacy regulations compete with demands for transparency and accountability, while market imperatives calling for multiple service channels delivered over a broad spread of technologies add to the pressure. Read on.
    Learn more »
  • Miercom Report - Plug and Play Switches
    Avaya engaged Miercom to evaluate the plug and play features and ease of configuration of the ERS 4548GT- PWR Edge Switch. The energy efficiency of the ERS was compared to similar switches and is discussed in this report as well. Read on.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.
Recent comments

HP and IDG news, product videos and resources