You did the right thing and invested time and money in your application security program. Now you have these static and dynamic application security testing (AST) tools returning long, complex lists of vulnerabilities. Why can’t you just hand those lists over to your development team and have them fix the problems? Why isn’t software vulnerability management simply “find it, and fix it?”
To thoroughly test for vulnerabilities, you need to use multiple testing techniques such as static analysis, dynamic analysis, manual penetration testing, component testing, and threat modeling, to name a few. These are all elements of a good application security program. In addition, you may have to use multiple AST tools within these techniques to improve your overall vulnerability coverage.
Now you have all this data, but it’s being reported differently by each AST system in their vendor-specific format. For instance, some tools will report “nonconstant string passed to execute statement” and another will call it “SQL Injection.” You need to know that these are probably the same vulnerability. These systems also report the severity of a vulnerability in various formats: some will use a 1 to 10 ranking, others a 1 to 100 – or high, medium, and low.
You have all these results, all this data, listing every detected potential vulnerability. Your appsec team gives these lists to your development team and says, “You need to fix these.” But where do they start? Which ones are real? Which are false positives? Which are duplicates? Which are the most important?
Triaging your results
You’ve got this large amount of data on your hands that requires sorting, normalizing, de-duplicating, and prioritizing. As in a hospital emergency room, you need to expeditiously determine “here’s what’s broken, here’s what needs fixing, and this is the order in which to do it.”
An important step in vulnerability management is to do this triage in an efficient and effective manner. Correlating test results from the myriad tools and systems you have is key to this process. Vulnerability correlation includes:
- Separate the signal from the noise: Determine which vulnerabilities are real, remove duplicates, and normalize the type among the various names given by the various tools.
- Classify the issues: Once you’re satisfied that you are dealing with true exploitable vulnerabilities, you need to determine what kind of vulnerability it is, and how it’s to be fixed.
- Prioritize: Because application vulnerability management takes place within a larger development lifecycle, it’s necessary to prioritize vulnerabilities as they are identified and effectively fit them into your workflow by importance.
- Mitigate: Now that you have a list of actual, actionable and prioritized vulnerabilities, you can give this list to your development team to address the vulnerabilities.
Nothing alienates a development team like being handed a list of thousands of potential vulnerabilities, the majority of which may not even be real, and being asked to re-code the software to “make it secure.” A large – and time-consuming – part of the security team’s job is to verify their findings before handing them off to the dev team to fix.
If done manually, this part of vulnerability management can sometimes take longer than the testing itself – and requires a team of highly-skilled (and hard to find) people.
Application Vulnerability Correlation (AVC) tools
In their most recent Hype Cycle Report for Application Security, Gartner defines Application Vulnerability Correlation (AVC) tools as “Workflow and process management tools that streamline software development application vulnerability testing and remediation.” These AVC tools allow you to benefit from the unruly mass of data created by the ever-growing number of testing tools.
AVC tools make all of your testing tools work together to provide one set of correlated results. They can de-dupe and normalize test results to a consistent (or customized) definition and level of risk. Using your own vulnerability policies, the AVC tool can then prioritize and manage the mediation of the vulnerabilities, and even integrate them with your application lifecycle management tools. Some can even go as far as automatically checking your code to make sure it’s compliant with government regulations such as HIPAA, PCI, and the DISA-STIG.
AVC tools give management a single vantage point into the growing amount of data generated by your AST tools, and increases your visibility to the vulnerabilities affecting your application. With this organized, easy-to-understand visibility, you can stop wasting valuable time managing the tools and begin focusing on managing the vulnerabilities in your application – and your teams can concentrate of fixing the problems that they find.