Similar to the quote "When you don't know what you're aiming at, you'll always miss", for security I like to say "You're least vulnerable when you know where you're most vulnerable".
This means that as a security and compliance professional, you need to have a full view on your infrastructure, systems and people interactions so that you understand its different components and how everything hangs together. Only then you'll be efficient in identifying real vulnerabilities that pose an actual risk to your business.
Getting this helicopter view is often what sets apart a good security and compliance professionals, because they are able to think out of the box, and see things others might have missed. While some issues might simply be due to a problematic process, often the problem lies more hidden in the way a system has been technically set up, developed, or a vulnerability that is embedded in a 3rd party software/library we consider safe. Unfortunately sometimes simple negligence due to overworked or insufficiently trained collaborators is also something that lays at the root of vulnerabilities.
Luckily for us there are many ways we can identify these vulnerabilities before they are exploited, and this is our first step in effective vulnerability management. Here we give a non-exhaustive overview of common methods we can use in our arsenal.
Host-based or endpoint scanners
These are used to locate and identify vulnerabilities in your workstations, servers or other network hosts and provide greater visibility into the configuration settings and patch history of scanned systems. Host-based vulnerability assessment tools can also provide an insight into the potential damage that can be done by insiders and outsiders once some level of access is granted or taken on a system. Solutions that centralise all findings into a central place make the life of a security professional much easier, especially when many systems are remote. A good solution allows you to instantly isolate the device while giving you the possibility to understand what happened or what needs to be fixed.
Network based vulnerability scanners identify possible network security attacks and vulnerable systems on wired or wireless networks. Network-based scanners discover unknown or unauthorized devices and systems on a network, help determine if there are unknown perimeter points on the network, such as unauthorized remote access servers, or connections to insecure networks of business partners. The new generations of tools also use AI based technology to create a pattern of "normal" activity, so that outliers or sudden connections to suspicious IP addresses in foreign countries are quickly identified.
Static application security testing (SAST)
With SAST you will scan your actual application source code for logic mistakes and common developer origin vulnerabilities like those in the OWASP top 10. This type of scan is considered a white box scan, because you'll give the tools (online or on premise) direct access to the source code. Most of the tools on the market will use vast databases of common programming error patterns, or will use sophisticated AI and random function fuzzing. SAST is very efficient in at least identifying the low hanging fruit that would otherwise be like walking into an open door for an attacker. The nice thing about SAST is that it applies early in your development life cycle, and notifies you of vulnerabilities so you can block the deployment before they go live (if you have the resources and acceptance of the business to do so). SAST will generally be less expensive to fix issues because you detect them quickly and often before the QA cycle.
Dynamic application security testing (DAST)
With DAST you will most often be on the black box side, where the tool does not have a lot of knowledge about the application. (except perhaps some credentials so they can also analyse the logged in part). Using a database of many known vulnerabilities and corresponding exploits, these tools will scan your application in an automated way to ensure none of them apply to your application. Similar to SAST, this approach also allows you to filter out the low hanging fruit, but is much slower due to many tests to be done and because it cannot intelligently follow the code of your application and only apply what makes sense.
Software composition analysis (SCA)
Nobody likes to reinvent the wheel, and this is why every application includes some sort of 3rd party code or dependency that often is simply used without any code review. In the past years this has become a key source of vulnerabilities, because even with great security conscious internal developers, the use of a vulnerable dependency will put your application at risk because the attackers know exactly how to identify if you're using such dependencies and will use the publicly documented methods to execute their attacks.
An often overlooked component of 3rd party code, and something that also should be part of your SCA solution, is 3rd party or open source code licensing scanning. Several open source libraries are actually published in open source but require you to make your own code public if you compile their library into the application. Imagine the impact on your business, if it suddenly turns out that your proprietary code now needs to become public domain.
Though sometimes integrated into network-based scanners, I'm listing wireless scanners separately because they are often a cause of concern. These tools help you identify rogue WIFI access points that simulate your legitimate ones, or help you identify badly configured wireless security or suspicious behaviour commonly used when trying to crack a wireless network.
These tools are designed to identify vulnerabilities and inappropriate configurations within databases making sure they don't become a weak point in your architecture. As databases are a complex technology by itself and most companies lack the expertise to properly configure these systems, it is a commonly overlooked weak point with multiple ready to exploit vulnerabilities.
Internal or external system pentesting
This is probably the most costly solution, but often the most efficient one. Here you get the choice to do a white, grey or black box security audit by a professional security specialist, that will simulate how a real attacker would look at your systems. There is no system (yet) that can replace this kind of audit, and is a good way to make sure there are no complex to find vulnerabilities hidden in your application. These generally take place during a specific time period and with a very well defined scope of what needs to be tested.
Similar to pentests this solution is very efficient as it also uses professional security specialist that will simulate how a real attacker would look at your system. The big difference (and advantage) here is that it does not rely on a limited team of people to execute the tests, but instead leverages a vast network of different security domain specialist to each time look at your system from a different point of view. In general these solutions also only require you to pay for actual vulnerability findings, rather than the time they spend on your systems to find issues.
What all of the above tools have in common is that they will provide you with a specific vulnerability that has a publicly agreed severity scoring (CVE/CVSS/CWE). Then this vulnerability ends up on your huge list of things to do, and you have no idea which of those will be exploited first.
That's why you need a good way to manage your vulnerabilities. Most of these tools will provide by themselves a good way to understand and prioritize their importance, but tracking and organizing the timely and correct execution of a remediation with your internal teams is where we often loose most of the time. Often fixes to vulnerabilities are more complex than they initially seem to be, and require specific task/project planning and the collaboration of multiple team players.
A typical ISMS will only provide you a way to identify and classify such risks, but will lack the features to document how everything hangs together and take the next steps in organizing and collecting all other technical/meeting details required to remediate the issue.
With Brainframe we let you use the tools you feel more comfortable with to identify the vulnerabilities, but give you a visual information management system to put all the information together in one place with an integrated risk management system so it makes sense to you as a security and compliance professional, but also becomes a central place for your executing team members to collaborate and keep an overview on all relevant information and decisions.