Vulnerability management
   HOME

TheInfoList



OR:

Vulnerability management is the "cyclical practice of identifying, classifying, prioritizing, remediating, and mitigating" software vulnerabilities. Vulnerability management is integral to
computer security Computer security (also cybersecurity, digital security, or information technology (IT) security) is a subdiscipline within the field of information security. It consists of the protection of computer software, systems and computer network, n ...
and network security, and must not be confused with vulnerability assessment. Vulnerabilities can be discovered with a vulnerability scanner, which analyzes a computer system in search of known vulnerabilities,Anna-Maija Juuso and Ari Takanen ''Unknown Vulnerability Management'', Codenomicon whitepaper, October 201

such as open ports, insecure software configurations, and susceptibility to
malware Malware (a portmanteau of ''malicious software'')Tahir, R. (2018)A study on malware and malware detection techniques . ''International Journal of Education and Management Engineering'', ''8''(2), 20. is any software intentionally designed to caus ...
infections. They may also be identified by consulting public sources, such as NVD, vendor specific security updates or subscribing to a commercial vulnerability alerting service. Unknown vulnerabilities, such as a zero-day, may be found with fuzz testing. Fuzzing is a cornerstone technique where random or semi-random input data is fed to programs to detect unexpected behavior. Tools such as AFL ( American Fuzzy Lop) and libFuzzer automate this process, making it faster and more efficient. Fuzzy testing can identify certain kinds of vulnerabilities, such as a buffer overflow with relevant
test case In software engineering, a test case is a specification of the inputs, execution conditions, testing procedure, and expected results that define a single test to be executed to achieve a particular software testing objective, such as to exercise ...
s. Similarly,
static analysis Static analysis, static projection, or static scoring is a simplified analysis wherein the effect of an immediate change to a system is calculated without regard to the longer-term response of the system to that change. If the short-term effect i ...
tools analyze source code or
binaries A binary file is a computer file that is not a text file. The term "binary file" is often used as a term meaning "non-text file". Many binary file formats contain parts that can be interpreted as text; for example, some computer document files ...
to identify potential vulnerabilities without executing the program.
Symbolic execution In computer science, symbolic execution (also symbolic evaluation or symbex) is a means of analyzing a program to determine what inputs cause each part of a program to execute. An interpreter follows the program, assuming symbolic values for i ...
, an advanced technique combining static and dynamic analysis, further aids in pinpointing vulnerabilities. Such analysis can be facilitated by
test automation In software testing, test automation is the use of software separate from the software being tested to control the execution of tests and the comparison of actual outcomes with predicted outcomes. Test automation can automate some repetitive bu ...
. In addition,
antivirus software Antivirus software (abbreviated to AV software), also known as anti-malware, is a computer program used to prevent, detect, and remove malware. Antivirus software was originally developed to detect and remove computer viruses, hence the name ...
capable of
heuristic A heuristic or heuristic technique (''problem solving'', '' mental shortcut'', ''rule of thumb'') is any approach to problem solving that employs a pragmatic method that is not fully optimized, perfected, or rationalized, but is nevertheless ...
analysis may discover undocumented malware if it finds software behaving suspiciously (such as attempting to overwrite a system file). Correcting vulnerabilities may variously involve the installation of a patch, a change in network security policy, reconfiguration of software, or educating
users Ancient Egyptian roles * User (ancient Egyptian official), an ancient Egyptian nomarch (governor) of the Eighth Dynasty * Useramen, an ancient Egyptian vizier also called "User" Other uses * User (computing), a person (or software) using an ...
about social engineering.


Project vulnerability management

Project vulnerability is the project's susceptibility to being subject to negative events, the analysis of their impact, and the project's capability to cope with negative events. Based on Systems Thinking, project systemic vulnerability management takes a holistic vision, and proposes the following process: #Project vulnerability identification #Vulnerability analysis #Vulnerability response planning #Vulnerability controlling – which includes implementation, monitoring, control, and lessons learned Coping with negative events is done, in this model, through: * resistance – the static aspect, referring to the capacity to withstand instantaneous damage, and * resilience – the dynamic aspect, referring to the capacity to recover in time. '' Redundancy'' is a specific method to increase resistance and resilience in vulnerability management. '' Antifragility'' is a concept introduced by Nassim Nicholas Taleb to describe the capacity of systems to not only resist or recover from adverse events, but also to improve because of them. Antifragility is similar to the concept of positive complexity proposed by Stefan Morcov.


See also

* Application security * Full disclosure *
IT risk It or IT may refer to: * It (pronoun), in English * Information technology Arts and media Film and television * ''It'' (1927 film), a film starring Clara Bow * '' It! The Terror from Beyond Space'', a 1958 science fiction film * ''It!'' (1967 ...
*
Long-term support Long-term support (LTS) is a product lifecycle management policy in which a stable release of computer software is maintained for a longer period of time than the standard edition. The term is typically reserved for open-source software, where it ...
*
Project management Project management is the process of supervising the work of a Project team, team to achieve all project goals within the given constraints. This information is usually described in project initiation documentation, project documentation, crea ...
*
Project complexity Project complexity is the property of a project which makes it difficult to understand, foresee, and keep under control its overall behavior, even when given reasonably complete information about the project system. With a lens of systems thinking, ...
*
Risk management Risk management is the identification, evaluation, and prioritization of risks, followed by the minimization, monitoring, and control of the impact or probability of those risks occurring. Risks can come from various sources (i.e, Threat (sec ...


References


External links


"Implementing a Vulnerability Management Process"
''SANS Institute.'' {{Information security Computer security procedures Security compliance *