The traditional approaches to vulnerability management include dynamic application security testing (DAST) and static application security testing (SAST), but are those enough?
The growing trend toward cloud-native applications has spawned a multitude of developer tools, shifting security left and giving developers the ability to identify and remediate their own vulnerabilities before SAST and DAST tools can be used. Furthermore, bug bounty programs are gaining popularity, often used as a supplement to traditional app sec programs.
But knowing which solution is best for your organization can be tricky, since there is no one-size-fits-all approach. Here's how to bolster your organization's vulnerability management approach and tooling.
Start by adopting DevSecOps
Vulnerability management is the recurring process of identifying, classifying, treating, mitigating, and reporting vulnerabilities. This process should not occur in isolation but rather throughout the entire software development lifecycle.
Doing so provides the opportunity to identify vulnerabilities prior to production release, decreases the need for remediation in later stages of development and testing, and reduces the likelihood of breach and compromise.
Expect to see vulnerability management start to shift left and the notion of DevSecOps to become common practice among tech companies moving forward. Respondents to GitLab’s "2020 Global DevSecOps Survey" reported they have already experienced multiple changes in their roles.
Some 28% say they're increasingly being included on cross-functional teams focused on security, 27% find themselves more involved in day-to-day development activities, and 23% are focusing more on compliance. Only 20% said that their role has not changed and that they do not expect it to change.
Define the scope, create a cadence
Arguably the most important step for a successful vulnerability management process is defining the scope that the process will cover. At GitLab, our security and infrastructure teams partnered to define a scope that would make sure all of our critical environments and systems were covered during deployment. (You can find the environments that are currently in scope for GitLab.com production here.)
With our environments scoped out, we deployed our vulnerability scanner and began the vulnerability management process.
Note that vulnerability management is a continuous feedback loop: Vulnerability scanners provide the data that is ingested and analyzed to remediate confirmed vulnerabilities. Feedback from this process feeds into preventative initiatives that further secure our environments.
We break down vulnerability management into the following steps:
- Vulnerability scanning
- Reporting/analysis
- Ingestion
- Validation
- Remediation
- Feedback
Additionally, organizations should set up a regular cadence to scan their environments to catch newly identified or created vulnerabilities. This ensures that the team remains proactive for catching and mitigating vulnerabilities, rather than always being reactive once a vulnerability has been exposed.
Some examples of secure scanners (each with a different focus) to help with this process include:
- SAST
- DAST
- Dependency scanning
- Container scanning
- Secret detection
- Fuzz testing
Adopt bug bounty programs
Bug bounty programs are another helpful vulnerability management method. Organizations can leverage bug bounties to supplement their app sec programs. Running a bug bounty program gets you ahead of any security vulnerabilities by opening up your source code to the public, and experienced security researchers can then work with you to find and solve any security issues before they become a problem.
In 2020, GitLab's bug bounty program yielded tremendous results. We received a total of 1,070 reports from 505 security researchers and awarded a total of $380,800 in bounties to 62 different researchers who reported valid vulnerabilities.
We also resolved 259 reports, 131 of which we made public. More than 163 security researchers submitted multiple reports, which indicates that their first engagement with us was a positive one.
To maintain a successful bug bounty program, you need to define and communicate a manageable program scope, allocate dedicated resources to program management, and ensure prioritization to the remediation of findings.
You should also listen to stakeholder feedback and be responsive in real time to reports; this will help you improve hacker engagement, streamline processes, decrease fix times, and even perhaps unveil new ways to innovate.
For smaller security teams, embracing automation will help to scale your bug bounty program. Finally, you should always be transparent about security issues, because this will help establish trust among your user base and set a positive example for other organizations in your industry that might be considering their own bug bounty program.
Get proactive with vulnerability management
There are many benefits to shifting vulnerability management left as your organization adopts a DevSecOps strategy, but knowing which practices and tools to use may require some trial and error—and a deep understanding of the ways in which they'll be applied.
An effective strategy will allow you to proactively protect your environment against new vulnerabilities and will greatly reduce your risk and volume of incidents. Finally, a proactive strategy, when paired with transparency, will help build trust with your user base and allow you to be a model for other organizations in your industry.
Keep learning
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed fast on the state of app sec testing with TechBeacon's Guide. Plus: Get Gartner's 2021 Magic Quadrant for AST.
Get a handle on the app sec tools landscape with TechBeacon's Guide to Application Security Tools 2021.
Download the free The Forrester Wave for Static Application Security Testing. Plus: Learn how a SAST-DAST combo can boost your security in this Webinar.
Understand the five reasons why API security needs access management.
Learn how to build an app sec strategy for the next decade, and spend a day in the life of an application security developer.
Build a modern app sec foundation with TechBeacon's Guide.
