There’s a difference between fixing discovered security defects and managing vulnerabilities. The first is what most developers and security teams do when handed a pen testing report that has specific instances and remediation advice. The second is what government suppliers who are subject to the SSDF and EO 14028 are encouraged to begin doing.

NIST’s Secure Software Development Framework (SSDF) has an entire section devoted to root cause analysis, vulnerability management, and hopping off the find and fix treadmill. According to NIST, the process begins before defects are discovered and instead relies on understanding what vulnerabilities could exist in the software. From there, an analysis and testing process ensures that software is free from those identified defects. The SSDF concludes by closing the loop and making changes to how software is developed in the SDLC to prevent those issues from popping up in the future.

That’s how you manage vulnerabilities. Sure, there’s all sorts of additional work involved with risk ranking, tracking, mitigating, workflows, POA&Ming, metrics, training, and enough tracking systems to make a software sales guy’s quarter, but I only have enough words in my weekly budget to talk about the work. Let’s break the work down into its component steps so that you go beyond fixing the bugs you find and instead prevent the bugs that could be.

Vulnerability management starts before vulnerabilities are identified. Threat intelligence is vital because you can’t find something you’re not looking for. Automated security scanning tools and pen tests solve this problem by outsourcing that knowledge load to the tool developers and pen testing agency, but they’re not experts in your application. All they can look for are vulnerabilities that could apply to anybody else. Instead, get smart on threats that are specific to your industry, the libraries your app is consuming, and the architecture that you’re building for.

After understanding the threats, begin doing something with that information. If there’s an existing off-the-shelf rule that checks for it in your app, great! If not, write requirements and acceptance criteria that ensure it’s not written in to the code and that it’s tested out by release. After you’ve done this once, write it down because there’s going to be a lot of this. For every plausible threat, counter it with a detection, prevention, or mitigation technique that works across the entire portfolio.

Once the detection techniques are hammered out, every time a security defect is confirmed, treat it as an escape event. If a screening technique found an issue, perform root cause analysis to understand how that issue was introduced in the first place. Match the solution to the problem. If there was a knowledge gap, fill it with training. If there was a vendor or third-party issue, make it an issue with the understanding that future defects of the same type will not be tolerated. If there is a governance issue, update some documents. If there is a tooling issue, fix the tools or fill the functionality gap.

Close the loop by going back to the threat intelligence step a couple paragraphs back and treating each root cause analysis as a source of more intelligence. Integrate it into the internal training and metrics reporting so everyone can learn from it. If it was released to production, it’s vulnerability disclosure time.

Anyway, hopping off the find and fix treadmill isn’t easy, but it’s necessary. In the coming years, it’ll be mandatory for suppliers of software to the US Government and eventually it’ll become industry best practices. Due diligence is about to get a lot more due.

There's always more words to spend on a topic like this one, but I've hit my budget for now. Stay secure, and never forget the humans.

P.S. I’m sorry this issue was delayed, but I have an excuse! Here, have pictures of the crayfish boil I put on yesterday instead of writing this.

Not everyone eats the mudbugs, so I had some gulf shrimp ready too.

I had live crayfish over-nighted in from the bayou.

Smile!

I picked up a taste for crawdads when I was in tech school on the gulf. Ever since then I’ve put on an annual boil for friends wherever I am. It’s the closest thing I have to a tradition that isn’t already on the calendar.