Vulnerability management
   HOME

TheInfoList



Click Here for Items Related To - Vulnerability management
OR:
Vulnerability management on:   [Wikipedia]   [Google]   [Amazon]

Vulnerability management is the "cyclical practice of identifying, classifying, prioritizing, remediating, and mitigating" software vulnerabilities. Vulnerability management is integral to
computer security Computer security, cybersecurity (cyber security), or information technology security (IT security) is the protection of computer systems and networks from attack by malicious actors that may result in unauthorized information disclosure, t ...
and
network security Network security consists of the policies, processes and practices adopted to prevent, detect and monitor unauthorized access, misuse, modification, or denial of a computer network and network-accessible resources. Network security involves th ...
, and must not be confused with vulnerability assessment. Vulnerabilities can be discovered with a
vulnerability scanner A vulnerability scanner is a computer program designed to assess computers, networks or applications for known weaknesses. These scanners are used to discover the weaknesses of a given system. They are utilized in the identification and detect ...
, which analyzes a computer system in search of known vulnerabilities,Anna-Maija Juuso and Ari Takanen ''Unknown Vulnerability Management'', Codenomicon whitepaper, October 201

 such as
open port In security parlance, the term open port is used to mean a TCP or UDP port number that is configured to accept packets. In contrast, a port which rejects connections or ignores all packets directed at it is called a closed port. Ports are an int ...
s, insecure software configurations, and susceptibility to
malware Malware (a portmanteau for ''malicious software'') is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, depr ...
infections. They may also be identified by consulting public sources, such as NVD, or subscribing to a commercial vulnerability alerting service such as Symantec's DeepSight Vulnerability Datafeed or Accenture's Vulnerability Intelligence Service. Unknown vulnerabilities, such as a zero-day, may be found with
fuzz testing Fuzz may refer to: * ''Fuzz'' (film), a 1972 American comedy * '' Fuzz: When Nature Breaks the Law'', a nonfiction book by Mary Roach * The fuzz, a slang term for police officers Music * Fuzz (electric guitar), distortion effects to create "w ...
. Fuzzy testing can identify certain kinds of vulnerabilities, such as a
buffer overflow In information security and programming, a buffer overflow, or buffer overrun, is an anomaly whereby a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory locations. Buffers are areas of memo ...
with relevant
test case In software engineering, a test case is a specification of the inputs, execution conditions, testing procedure, and expected results that define a single test to be executed to achieve a particular software testing objective, such as to exercise ...
s. Such analysis can be facilitated by
test automation In software testing, test automation is the use of software separate from the software being tested to control the execution of tests and the comparison of actual outcomes with predicted outcomes. Test automation can automate some repetitive bu ...
. In addition,
antivirus software Antivirus software (abbreviated to AV software), also known as anti-malware, is a computer program used to prevent, detect, and remove malware. Antivirus software was originally developed to detect and remove computer viruses, hence the name. ...
capable of
heuristic A heuristic (; ), or heuristic technique, is any approach to problem solving or self-discovery that employs a practical method that is not guaranteed to be optimal, perfect, or rational, but is nevertheless sufficient for reaching an immediate ...
analysis may discover undocumented malware if it finds software behaving suspiciously (such as attempting to overwrite a
system file A system file in computers is a critical computer file without which a computer system may not operate correctly. These files may come as part of the operating system, a third-party device driver or other sources. Microsoft Windows and MS-DOS mark t ...
). Correcting vulnerabilities may variously involve the
installation Installation may refer to: * Installation (computer programs) * Installation, work of installation art * Installation, military base * Installation, into an office, especially a religious (Installation (Christianity) Installation is a Christian li ...
of a
patch Patch or Patches may refer to: Arts, entertainment and media * Patch Johnson, a fictional character from ''Days of Our Lives'' * Patch (''My Little Pony''), a toy * "Patches" (Dickey Lee song), 1962 * "Patches" (Chairmen of the Board song ...
, a change in network security policy, reconfiguration of software, or educating
users Ancient Egyptian roles * User (ancient Egyptian official), an ancient Egyptian nomarch (governor) of the Eighth Dynasty * Useramen, an ancient Egyptian vizier also called "User" Other uses * User (computing), a person (or software) using an ...
about social engineering.


Project vulnerability management

Project vulnerability is the project's susceptibility to being subject to negative events, the analysis of their impact, and the project's capability to cope with negative events. Based on Systems Thinking, project systemic vulnerability management takes a holistic vision, and proposes the following process:                              1.           Project vulnerability identification.                              2.           Vulnerability analysis.                              3.           Vulnerability response planning.                              4.           Vulnerability controlling – which includes implementation, monitoring, control, and lessons learned. Coping with negative events is done, in this model, through: * resistance – the static aspect, referring to the capacity to withstand instantaneous damage, and * resilience – the dynamic aspect, referring to the capacity to recover in time. '' Redundancy'' is a specific method to increase resistance and resilience in vulnerability management. ''
Antifragility Antifragility is a property of systems in which they increase in capability to thrive as a result of stressors, shocks, volatility, noise, mistakes, faults, attacks, or failures. The concept was developed by Nassim Nicholas Taleb in his book, '' ...
'' is a concept introduced by
Nassim Nicholas Taleb Nassim Nicholas Taleb (; alternatively ''Nessim ''or'' Nissim''; born 12 September 1960) is a Lebanese-American essayist, mathematical statistician, former option trader, risk analyst, and aphorist whose work concerns problems of randomness ...
to describe the capacity of systems to not only resist or recover from adverse events, but also to improve because of them. Antifragility is similar to the concept of positive complexity proposed by Stefan Morcov.


See also

*
Application security Application security (short AppSec) includes all tasks that introduce a secure software development life cycle to development teams. Its final goal is to improve security practices and, through that, to find, fix and preferably prevent security ...
* Full disclosure *
Long-term support Long-term support (LTS) is a product lifecycle management policy in which a stable release of computer software is maintained for a longer period of time than the standard edition. The term is typically reserved for open-source software, where i ...
*
IT risk Information technology risk, IT risk, IT-related risk, or cyber risk is any risk related to information technology. While information has long been appreciated as a valuable and important asset, the rise of the knowledge economy and the Digital Re ...
* Risk management *
Project management Project management is the process of leading the work of a team to achieve all project goals within the given constraints. This information is usually described in project documentation, created at the beginning of the development process. T ...
* Project complexity


References

{{Reflist


External links


"Implementing a Vulnerability Management Process"
''SANS Institute.'' Computer security procedures Security compliance *