How SCAP Brought Sanity to Vulnerability Management
- 12 May, 2009 00:10
- Comments 1
It's safe to say that vulnerability assessment tools have become commonplace within most security teams' toolboxes. As security programs mature, they often begin to look at ways to automate tasks that are mundane and repetitive.
These applications have become better at identifying common mistakes within Web applications, patch management, configurations, systems and database hardening.
But with the proliferation of vulnerability assessment products and services, we have begun to create a different problem.
Any organisation that maintains a reasonably sized infrastructure or Web presence can easily end up with many different applications, services and tools to maintain and monitor their vulnerabilities. These tools include VA scanners to identify security bugs within applications, databases, hosts and networks.
Vulnerability management programs may also employ software-as-a-service (SaaS) solutions to assist in vulnerability identification through both automated tools and manual testing.
Static source code analysis tools add to the internal store of vulnerabilities. Want more data? How about adding the results of your penetration tests?
This vulnerability data may include Web application vulnerabilities -- technical vulnerabilities missed by VA scanners, social engineering exploits through a lack of processes or awareness and logic flaws.
A Mountain of Data
As we begin to find out, in some cases, maturity can bring complexity and more data! But more data is just the tip of the iceberg. How does a CISO connect all of this data? How does management understand what issues and bugs should be prioritised when conducting remediation?
Once prioritised, how do we then migrate these bugs to our bug -- tracking, change -- management and trouble ticketing systems?
Your problem is not only managing the mountain of data you're sitting on, it now includes managing all of this data described in different ways -- managing vulnerability assessment reports that contain overlapping bugs or false positives. Identifying your bugs and problems are no longer the primary issues. You now have to do something about them.
In order to get these vulnerabilities closed, the security teams need to start sorting and moving this data around and getting the appropriate issues in front of management, developers and engineers.
You've taken the step to add more tools to your management arsenal to eliminate the mundane and repeatable tasks only to have your team stuck with enough mundane and repeatable tasks to occupy a small army of security professionals!
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.
- Bookmark this page
- Share this article
- Got more on this story? Email CIO
- Follow CIO on twitter
- Businesses are ready for a new approach to IT - Simplify deployment and reduce complexity using systems integrated with expertise
- Yes. We. Can. Flexible Policy 2.0
- Look both ways - Protecting your data with content inspection
- Six tips for choosing a unified threat management (UTM) solution
- Case Study: HJ Heinz
-
Australia's first 4G smartphone is the HTC Velocity 4G
-
Swedish e-commerce startup's execs linked to NYC sex crime
-
Face Time - Interview with John Brennan and Robert DiStefano
-
How to implement next-generation storage infrastructure for Big Data
-
Pfizer's Future Depends on IT Transformation
-
The State of Data Security
Recognize how your data can become vulnerable, including the latest issues stemming from unprotected data on mobile devices and social media sites. Understand the compliance issues involved, and identify data protection strategies you can use to keep your company’s information both safe and compliant. -
HP ePrint Enterprise mobile printing solution
The merger of mobile devices and cloud services has become one of the most significant enablers of business productivity and innovation in the past decade. We now hold the power of communicating and computing in the palms of our hands, nearly anywhere business or life takes us. However, one key business process has eluded the mobility movement: printing. Even the most technically enabled business travelers find themselves hunting down print services while on the road and interrupting IT managers when visiting a branch office simply to print a document. But finally, a truly mobile print experience is available—helping enterprises to drive business productivity further. Read more. -
Restore control, Reinforce security & Reduce Cost
Uncontrolled print environments and practices present a serious risk to the profit and security of your organisation. IT is under pressure to protect sensitive information, secure devices, and improve the way they manage the entire fleet. To gain better control, your organisation needs to implement plans that meet industry regulations while also increasing productivity, lowering costs, and providing users with more flexible imaging and printing solutions. Read more.
-
Windows 7 for Dummies® Dvd+book Bundle
-
Teach Yourself Visually Windows 7
-
Windows 7 for Seniors for Dummies®
-
Microsoft Office
-
Excel 2007 All-In-One Desk Reference for Dummies
-
Office 2007 for Dummies
-
Office 2007 All-In-One Desk Reference for Dummies
-
MYOB Software for Dummies 6E Australian Edition
-
Computers for Seniors for Dummies, 2nd Edition
Get exclusive access to Invitation only events CIO, reports & analysis. 
Comments
David Oliva
Mr. Bellis:
I am pursuing research in the area of acceptance of the SCAP standards in private industry. The books that define SCAP are free and are located at http://csrc.nist.gov/publications/PubsSPs.html.
In particular, SP 800-126, SP 800-117, and SP 800-70.
As of today 15 Aug 2010 there are 36 SCAP complian products as advertised at http://nvd.nist.gov/scapproducts.cfm.
Please continue to add comments on this blog.
David Oliva
Post new comment