Vulnerability Management: The Heart of OWASP Top 10

You’re a new CISO – your chief priority is to ensure that security is embedded within business workflows. At the macro level, you are charged with assessing and remediating vulnerabilities. On one hand, there is no such thing as an acceptable risk. Yet, on the other hand you are charged with conducting a symphony of people, products, and information where you are faced with resource shortages and an ever-expanding threat economy and attack surface as enterprises expand. How are you able to work through this inherent conflict? In a dream world you would have overlapping products, a massive payroll to build out an expert security team, strict adherence to all protocols, policies, and procedures. But that’s just it, it only occurs in a dream. It’s time to face the music. This is where vulnerability management comes in.?

The Cybersecurity and Infrastructure Security Agency defines vulnerabilities and vulnerability management as:?

The feature or condition that, if exploited by a threat (natural or man-made), renders an entity (i.e., an entire organization or any of its constituent parts) susceptible to a risk. The CRR focuses on a specific critical service of the organization. Each aspect of the service is discussed in terms of the various assets that support the service. A vulnerability in the service is a result of a vulnerability in one or more of its assets. Assets are divided into the categories of people, information, technology, and facilities. Vulnerability management is a key component in planning for and determining the appropriate implementation of controls and the management of risk. It is reasonable to say that vulnerability management is central to cyber resilience. The topics of the other CRR domains provide information about vulnerable conditions (Asset Management, Configuration and Change Management, External Dependencies Management, and Situational Awareness) or provide for a response to the vulnerable conditions (Controls Management, Incident Management, Service Continuity Management, Risk Management, and Training and Awareness). Vulnerability management assures that the organization understands its weaknesses so that it can plan accordingly.

It comes down to risk mitigation. What constitutes risk? The exploitation of a vulnerability. The vulnerability management cycle begins with defining a strategy. Cyber risk to an organization is calculated by the following formula: Cyber risk = Threat * Vulnerability * Information Value. Although, there are several other methods of quantifying cyber risk this is perhaps the most utilized formulation. Risks can be avoided, accepted (worst course of action), controlled, and monitored.?

Developing and communicating your organization’s risk appetite is elucidated by looking at the intersection of frequency and impact, limited by business and regulatory constraints. Many organizations draw this information out by creating a threat matrix whereby risks are categorized by severity level and likelihood. In today’s threat landscape, web application security is paramount in the mind of CISOs. After all, web app attacks grew 251% in two years’ time during the 2019-2021 study conducted by Imperva. The first reference that CISOs look at in developing a data-driven security program that addresses the greatest web application security risks is the OWASP Top 10. The last iteration was completed in 2021.?

Crashtest Security created an OWASP Top 10 Ultimate Vulnerability Guide which contains a breakdown about each vulnerability in the OWASP Top 10, provides examples, and suggests remediations for each vulnerability. It can be found here at: https://crashtest-security.com/owasp-top-10-2021/

Sources:

CISA, CRR Supplemental Resource Guide, Vulnerability Management, Volume 4, Version 1.1, https://www.cisa.gov/sites/default/files/publications/CRR_Resource_Guide-VM_0.pdf

?Infosecurity, Infosecurity magazine, Web App Attacks Surge 251% in Two years, https://www.infosecurity-magazine.com/news/web-app-attacks-surge-251-in-two/?&web_view=true