Vulnerability management is the "cyclical practice of identifying, classifying, prioritizing, remediating, and mitigating" software vulnerabilities. Vulnerability management is integral to

computer security Computer security (also cybersecurity, digital security, or information technology (IT) security) is a subdiscipline within the field of information security. It consists of the protection of computer software, systems and computer network, n ...

and network security, and must not be confused with vulnerability assessment. Vulnerabilities can be discovered with a vulnerability scanner, which analyzes a computer system in search of known vulnerabilities,Anna-Maija Juuso and Ari Takanen ''Unknown Vulnerability Management'', Codenomicon whitepaper, October 201

such as open ports, insecure software configurations, and susceptibility to

malware Malware (a portmanteau of ''malicious software'')Tahir, R. (2018)A study on malware and malware detection techniques . ''International Journal of Education and Management Engineering'', ''8''(2), 20. is any software intentionally designed to caus ...

infections. They may also be identified by consulting public sources, such as NVD, vendor specific security updates or subscribing to a commercial vulnerability alerting service. Unknown vulnerabilities, such as a zero-day, may be found with fuzz testing. Fuzzing is a cornerstone technique where random or semi-random input data is fed to programs to detect unexpected behavior. Tools such as AFL ( American Fuzzy Lop) and libFuzzer automate this process, making it faster and more efficient. Fuzzy testing can identify certain kinds of vulnerabilities, such as a buffer overflow with relevant

test case In software engineering, a test case is a specification of the inputs, execution conditions, testing procedure, and expected results that define a single test to be executed to achieve a particular software testing objective, such as to exercise ...

s. Similarly,

static analysis Static analysis, static projection, or static scoring is a simplified analysis wherein the effect of an immediate change to a system is calculated without regard to the longer-term response of the system to that change. If the short-term effect i ...

tools analyze source code or

binaries A binary file is a computer file that is not a text file. The term "binary file" is often used as a term meaning "non-text file". Many binary file formats contain parts that can be interpreted as text; for example, some computer document files ...

to identify potential vulnerabilities without executing the program.

Symbolic execution In computer science, symbolic execution (also symbolic evaluation or symbex) is a means of analyzing a program to determine what inputs cause each part of a program to execute. An interpreter follows the program, assuming symbolic values for i ...

, an advanced technique combining static and dynamic analysis, further aids in pinpointing vulnerabilities. Such analysis can be facilitated by

test automation In software testing, test automation is the use of software separate from the software being tested to control the execution of tests and the comparison of actual outcomes with predicted outcomes. Test automation can automate some repetitive bu ...

. In addition,

antivirus software Antivirus software (abbreviated to AV software), also known as anti-malware, is a computer program used to prevent, detect, and remove malware. Antivirus software was originally developed to detect and remove computer viruses, hence the name ...

capable of

heuristic A heuristic or heuristic technique (''problem solving'', '' mental shortcut'', ''rule of thumb'') is any approach to problem solving that employs a pragmatic method that is not fully optimized, perfected, or rationalized, but is nevertheless ...

analysis may discover undocumented malware if it finds software behaving suspiciously (such as attempting to overwrite a system file). Correcting vulnerabilities may variously involve the installation of a patch, a change in network security policy, reconfiguration of software, or educating

users Ancient Egyptian roles * User (ancient Egyptian official), an ancient Egyptian nomarch (governor) of the Eighth Dynasty * Useramen, an ancient Egyptian vizier also called "User" Other uses * User (computing), a person (or software) using an ...

about social engineering.

Project vulnerability management

Project vulnerability is the project's susceptibility to being subject to negative events, the analysis of their impact, and the project's capability to cope with negative events. Based on Systems Thinking, project systemic vulnerability management takes a holistic vision, and proposes the following process: #Project vulnerability identification #Vulnerability analysis #Vulnerability response planning #Vulnerability controlling – which includes implementation, monitoring, control, and lessons learned Coping with negative events is done, in this model, through: * resistance – the static aspect, referring to the capacity to withstand instantaneous damage, and * resilience – the dynamic aspect, referring to the capacity to recover in time. '' Redundancy'' is a specific method to increase resistance and resilience in vulnerability management. '' Antifragility'' is a concept introduced by Nassim Nicholas Taleb to describe the capacity of systems to not only resist or recover from adverse events, but also to improve because of them. Antifragility is similar to the concept of positive complexity proposed by Stefan Morcov.

References

External links

"Implementing a Vulnerability Management Process"
''SANS Institute.'' {{Information security Computer security procedures Security compliance *

Project vulnerability management

See also

References

External links