Kent Welch
March 22, 2023
Everyday, CISOs and Engineering VPs are prioritizing their organizations’ tasks into lists: the must-dos, the need-to-dos, and the can-be-done-laters (or not at all). They use a variety of considerations in this exercise: business goals, risk management, resource availability, opportunity cost to help them make the best informed decisions possible. Yet, when it comes to vulnerability management, CISOs and Engineering VPs often find themselves in a quandary: their current processes and tools fail to bring in any business or operating context. They’re left operating blind as they decide: what vulnerabilities do we need to fix and why?
Context-based vulnerability prioritization, the process of assessing and assigning risk levels to vulnerabilities based on their potential impact on the environment they exist within, is an important technique that can help organizations make the most efficient and effective use of their AppSec spend across multiple and competing priorities.
Understanding the importance of risk-based vulnerability prioritization
When it comes to Vulnerability Management, there’s no one-size-fits-all approach. That’s why context-based prioritization is essential – it enables AppSec teams to deploy remediation strategies and SLAs that align with their overall business risk strategy. By applying context to the vulnerability results, teams can tweak and optimize their vulnerability management process so they are prioritizing working on the vulnerabilities that reduce the most risk. Risk based prioritization can ensure that the most important security areas are address first, with less critical vulnerabilities addressed further down the line.
Context attributes used to make these decisions includes the vulnerability severity, vulnerability age, exploitability of the vulnerability, project risk, business goals. Some or all of these attributes can be specific to each organization. Use of this context enables effective vulnerability management, since organizations can guide their efforts to resolve the vulnerabilities that provide the most risk relief. Automated context-based risk-prioritization also offers agility when it comes to rapidly responding to changing priorities as the threat landscape evolves over time. Organizations that implement this automation can embrace DevSecOps while intelligently prioritizing their security efforts within their overall risk context.
Vulnerability Management – the wrong way
When it comes to DevSecOps, vulnerability management is an integral part of Application Security – and often the first thing people think of in Application Security. Yet too often, all organizations end up doing is bulk prioritization based solely on vulnerability severity without the context of business risk and application risk of the vulnerability. Sure, that’s often easier and faster in the short term – but it won’t equip them with the bigger picture context needed to automate an entire process. In order to keep up with the speed and scalability expectations of DevOps while maintaining security posture acceptable to the business, AppSec teams need go beyond shortcuts and instead embrace full automation and orchestration that reacts smartly to changing environments. It’s the only way to truly get a foothold on DevSecOps.
Without a well thought out and automated process, DevSecOps teams will keep creating tickets and notifications to patch individual vulnerabilities that may not make business sense when using all additional context. A DevSecOps team should focus on automation of an entire workflow instead of a multitude of short cuts as they give organizations the proactive security practice and visibility needed to protect their most valuable assets from attack.
Automate classification & remediation assignment without requiring manual intervention
DevSecOps and Application Security are both integral components of organizations’ vulnerability management strategies, and building a risk scoring system to prioritize vulnerabilities is an effective way to manage enterprise security with limited resources. When designing such a system, it’s important to consider the context in which each vulnerability occurs so that it can be accurately assessed, as well as its potential for causing harm. While there is no one-size-fits-all approach to creating a risk scoring system, DevSecOps practitioners can create tailored systems that suit their specific requirements and provide key insights into which vulnerabilities pose the greatest threat and should be rectified first.
DevSecOps requires all stakeholders of software product development to work together to ensure application security at scale. To make this effective, an efficient risk scoring system should be implemented that factors in the context of each vulnerability and clearly prioritizes them. DevSecOps teams need to act smartly when it comes to vulnerability management; the risk scoring system should be designed with a view to balance out the project delivery mandates and application security goals. In order for DevSecOps to succeed, appropriate conditions must be created for Security operations that are aligned and integrated with DevOps processes and procedures.
DevSecOps and AppSec teams have long been toiling away with manual processes for identifying critical assets and services, often just finding quick ‘band-aids’ to address the here-and-now. While this works in some cases, it fails when context is paramount – such as when identifying critical assets and services that are vulnerable to attack.
By unifying security into DevOps procedures early on, organizations can make sure that the applications they have deployed have adequate security protection from malicious actors and malware. However, risk must still be managed to ensure that those assets remain secure. It requires rigorous application security testing to identify and mitigate software vulnerabilities before they can be exploited by adversaries. DevSecOps provides a unique opportunity to protect digital assets from malicious actors by building secure systems from the ground up.
Want to learn more about you can integrate AppSec in your Development pipeline?
Check out our top trending resources!




Related Articles

What is Application Security Orchestration & Correlation?
What is Application Security Orchestration & Correlation (ASOC)? Application Security Orchestration & Correlation is the use of automation to manage components of an application security program in response to a pre-defined workflows to enable integration into...

Interview with Melinda Marks of ESG: “Women in Cybersecurity”
This interview originally appeared on ESG Global on June 3 2022Related Articles

My #1 Gartner Security & Risk Management Summit Takeaway: It’s too hard to tell what’s not an ASPM solution
It was a pleasure to return to the Gartner Security & Risk Management summit this year. Like the other attendees, I enjoyed the chance to not just reconnect with the community, but take a deep dive into the top of mind security initiatives and trends. It was also...

Software Security Through the Concept of Wabi-Sabi with Radio Entrepreneurs
Radio Entrepreneurs host, Jeffrey Davis interview with Wabbi's Founder & CEO Brittany Greenfield on software security through the concept of Wabi-Sabi. This interview originally appeared on Radio Entrepreneurs June 30, 2023 About the sessionThis session was part...

Wabbi Named in 2023 Gartner® How to Select DevSecOps Tools for Secure Software Delivery Report as an ASPM Sample Vendor
BOSTON, MA, USA / June 14, 2023 /Originally Published at EINPresswire.com Wabbi announces its inclusion in the 2023 Gartner® How to Select DevSecOps Tools for Secure Software Delivery report as an Application Security Posture Management (ASPM) sample vendor. Gartner®...
0 Comments