There are many different approaches to vulnerability management. Traditional methods include dynamic application security testing (DAST) and static application security testing (SAST), but are they enough?
The growing trend toward cloud-native applications has introduced a multitude of developer tools, shifting security left and giving developers the ability to identify and remediate their own vulnerabilities before SAST and DAST tools can be used. Furthermore, bug bounty programs are gaining popularity, often used as a supplement to traditional app sec programs.
But knowing which solution is best for your organization can be tricky, since there is no one-size-fits-all approach. Here’s how to bolster your organization’s vulnerability management approach and tooling.
Start by adopting DevSecOps
Vulnerability management is the recurring process of identifying, classifying, treating, mitigating, and reporting vulnerabilities. This process should not occur in isolation but rather throughout the entire software development lifecycle.
Doing so provides the opportunity to identify vulnerabilities prior to production release, decreases the need for remediation in later stages of development and testing, and reduces the likelihood of breach and compromise.
Expect to see vulnerability management start to shift left and the notion of DevSecOps to become common practice among tech companies moving forward. Respondents to GitLab’s “2020 Global DevSecOps Survey” reported they have already experienced multiple changes in their roles.
Some 28% say they’re increasingly being included on cross-functional teams focused on security, 27% find themselves more involved in day-to-day development activities, and 23% are focusing more on compliance. Only 20% said that their role has not changed and that they do not expect it to change.
Define the scope, create a cadence
Arguably the most important step for a successful vulnerability management process is defining the scope that the process will cover. At GitLab, our security and infrastructure teams partnered to define a scope that would make sure all of our critical environments and systems were covered during deployment. (You can find the environments that are currently in scope for GitLab.com production here.)
With our environments scoped out, we deployed our vulnerability scanner and began the vulnerability management process.
Note that vulnerability management is a continuous feedback loop: Vulnerability scanners provide the data that is ingested and analyzed to remediate confirmed vulnerabilities. Feedback from this process feeds into preventative initiatives that further secure our environments.
At GitLab, we break down vulnerability management into the following steps:
- Vulnerability scanning
Additionally, organizations should set up a regular cadence to scan their environments to catch newly identified or created vulnerabilities. This ensures that the team remains proactive for catching and mitigating vulnerabilities, rather than always being reactive once a vulnerability has been exposed.
Some examples of secure scanners (each with a different focus) to help with this process include:
Adopt bug bounty programs
Another helpful method of vulnerability management is a bug bounty program. Organizations can leverage bug bounties to supplement their app sec programs. Running a bug bounty program gets you ahead of any security vulnerabilities by opening up your source code to the public, and experienced security researchers can then work with you to find and solve any security issues before they become a problem.
In 2020, GitLab’s bug bounty program yielded tremendous results. We received a total of 1,070 reports from 505 security researchers and awarded a total of $380,800 in bounties to 62 different researchers reporting valid vulnerabilities.
Additionally, we resolved 259 reports and made 131 of those reports public. More than 163 security researchers submitted multiple reports, which indicates that their first engagement with us was a positive one.
To maintain a successful bug bounty program, you need to define and communicate a manageable program scope, allocate dedicated resources to program management, and ensure prioritization to the remediation of findings.
You should also listen to stakeholder feedback and be responsive in real time to reports; this will help you improve hacker engagement, streamline processes, decrease fix times, and even perhaps unveil new ways to innovate.
For smaller security teams, embracing automation will help to scale your bug bounty program. Finally, you should always be transparent about security issues, because this will help establish trust among your user base and set a positive example for other organizations in your industry that might be considering their own bug bounty program.
Get proactive with vulnerability management
There are numerous benefits to organizations shifting their vulnerability management left as they adopt a DevSecOps strategy. But knowing which practices and tools to use may require some trial and error and a deep understanding of the ways in which they’ll be applied.
An effective strategy will allow you to proactively protect your environment against new vulnerabilities and will greatly reduce your risk and volume of incidents. Finally, this proactive strategy, when paired with transparency, will help build trust with your user base and allow you to be a model for other organizations in your industry.