The vulnerability management program is a defined approach to identifying, assessing, and resolving technical vulnerabilities in your software and network environment.
The Consumer Data Right gives Australian’s control of their data. That enables innovation in new products and services to those consumers. To participate as a data recipient, there are five governance requirements and 24 information security requirements. These are independently audited by a qualified firm like AssuranceLab, and included in an assurance report for accreditation.
The vulnerability management program addresses one of the 24 information security requirements titled; Vulnerability Management.
The vulnerability program should be a risk-based approach, to prioritise higher severity vulnerabilities. It may be appropriate not to address all vulnerabilities. There are various predefined scales and industry benchmarks to use for this risk-based approach. Software solutions and penetration testers generally come with their own that align with industry standards.
The following practices may make up part of your vulnerability management program. It’s best to have a combination, if not all of these. They each have pros and cons with respect to the breadth and depth of coverage, the timelines of identifying vulnerabilities, and some that prevent vulnerabilities in the first place rather than identifying and resolving them once they’ve hit the live environment.
Secure development practices
Change control and secure development practices are your first line of defense against vulnerabilities. Change control is a subject in its own right and covered separately in the Change Control Policy post. Secure development practices are behavioural and related to your Security Awareness Training. That is, by educating your developers and others involved in the software development process on how to consider security as a core objective.
Static code analysis
Another preventive practice is scanning the source code for vulnerabilities either periodically or as part of the build process in your continuous development / continuous integration (CI/CD) pipeline. Systemic controls can be added in this way to prevent vulnerabilities being released into production, or as an informative feedback mechanism to help prevent or reduce these vulnerabilities. This latter approach should be considered as part of the change control process, including associated approvals to ensure any vulnerabilities identified are within the risk tolerance.
Vulnerability scanning software
Using vulnerability scanning software has become a ubiquitous practice for software businesses. There’s a broad range of solutions out there, with varying levels of coverage in the scope of systems and known types of vulnerabilities they identify. As vulnerability scanning has become more ubiquitous, it’s also become more readily available as a service. Some of these solutions may be available from your existing providers like Google Cloud’s Web Security Scanner, Amazon Inspector, or Vanta’s vulnerability scanning solution packaged with their out of the box security and compliance tools. There’s also solutions with generous free tiers like Snyk.io. Any of these solutions should be used in combination with a defined process, how frequently the scans are run or reviewed, how they are assessed and what priority they are given in comparison to other priorities.
Penetration testing
Another ubiquitous practice is engaging a third party to conduct penetration testing. Some “penetration tests” are glorified vulnerability scans. Proper penetration testing includes expert, qualified assessors performing manual reviews and breach attempt exercises to check for potential exploits or vulnerabilities. The industry standard is to perform this at least annually. A higher frequency is beneficial to identify any vulnerabilities in a more timely manner, and as penetration testers progressively build their knowledge of the environment, which improves the quality and rigour of review over time. The above vulnerability management exercises are often viewed as a “nice to have”, penetration tests are usually regarded as a “must have” by enterprise customers of SaaS providers.
Security patching/hardening
A defined process for hardening or patching your devices, operating systems, and software, ensures regular updates are made to improve security and protect against known security threats that are continuously evolving and becoming more sophisticated. This is conceptually the same process whether it’s your own in-house developed software or third-party software, devices, and operating systems. The difference is for your own software, your team needs to work out the fix and roll that out to all instances of the product. This should follow the change control process including impact assessments prior to deploying the updates, and potentially agreeing on the rollout with customers depending on the terms of service and whether you maintain multiple software instances.
Anti-virus software
Anti virus software is used to continuously scan for, identify, quarantine, and resolve and exploit attempts that often come in the form of malicious software. This is where technical or organisational vulnerabilities are exploited to breach your security. Similar to the patching or updates to operating systems and software, the anti-virus software should be regularly updated to ensure it covers the latest known threats. These updates and any cases of malware or suspicious programs should be reviewed periodically to ensure compliance and continually improve defensive security practices.
The CDR Perspective
There are two requirements of the CDR that fit together; security patching, and vulnerability management.
About AssuranceLab
AssuranceLab is a modern cybersecurity audit firm. We're experts in the latest software and cloud providers. We guide your team through the compliance practices in a way that fits your environment and culture. We work closely with clients through our agile and collaborative approach; saving time, costs, and headaches along the way.