Vulnerability Management
   HOME

TheInfoList



Click Here for Items Related To - Vulnerability Management
OR:
Vulnerability Management on:   [Wikipedia]   [Google]   [Amazon]

Vulnerability management is the "cyclical practice of identifying, classifying, prioritizing, remediating, and mitigating" software vulnerabilities. Vulnerability management is integral to
computer security Computer security, cybersecurity (cyber security), or information technology security (IT security) is the protection of computer systems and networks from attack by malicious actors that may result in unauthorized information disclosure, t ...
and
network security Network security consists of the policies, processes and practices adopted to prevent, detect and monitor unauthorized access, misuse, modification, or denial of a computer network and network-accessible resources. Network security involves th ...
, and must not be confused with vulnerability assessment. Vulnerabilities can be discovered with a vulnerability scanner, which analyzes a computer system in search of known vulnerabilities,Anna-Maija Juuso and Ari Takanen ''Unknown Vulnerability Management'', Codenomicon whitepaper, October 201

 such as
open port In security parlance, the term open port is used to mean a TCP or UDP port number that is configured to accept packets. In contrast, a port which rejects connections or ignores all packets directed at it is called a closed port. Ports are an int ...
s, insecure software configurations, and susceptibility to
malware Malware (a portmanteau for ''malicious software'') is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, de ...
infections. They may also be identified by consulting public sources, such as NVD, or subscribing to a commercial vulnerability alerting service such as Symantec's DeepSight Vulnerability Datafeed or Accenture's Vulnerability Intelligence Service. Unknown vulnerabilities, such as a zero-day, may be found with
fuzz testing Fuzz may refer to: * ''Fuzz'' (film), a 1972 American comedy * '' Fuzz: When Nature Breaks the Law'', a nonfiction book by Mary Roach * The fuzz, a slang term for police officers Music * Fuzz (electric guitar), distortion effects to create "wa ...
. Fuzzy testing can identify certain kinds of vulnerabilities, such as a
buffer overflow In information security and programming, a buffer overflow, or buffer overrun, is an anomaly whereby a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory locations. Buffers are areas of memor ...
with relevant
test case In software engineering, a test case is a specification of the inputs, execution conditions, testing procedure, and expected results that define a single test to be executed to achieve a particular software testing objective, such as to exercise ...
s. Such analysis can be facilitated by test automation. In addition,
antivirus software Antivirus software (abbreviated to AV software), also known as anti-malware, is a computer program used to prevent, detect, and remove malware. Antivirus software was originally developed to detect and remove computer viruses, hence the name ...
capable of
heuristic A heuristic (; ), or heuristic technique, is any approach to problem solving or self-discovery that employs a practical method that is not guaranteed to be optimal, perfect, or rational, but is nevertheless sufficient for reaching an immediat ...
analysis may discover undocumented malware if it finds software behaving suspiciously (such as attempting to overwrite a system file). Correcting vulnerabilities may variously involve the installation of a
patch Patch or Patches may refer to: Arts, entertainment and media * Patch Johnson, a fictional character from ''Days of Our Lives'' * Patch (''My Little Pony''), a toy * "Patches" (Dickey Lee song), 1962 * "Patches" (Chairmen of the Board song ...
, a change in network security policy, reconfiguration of software, or educating
users Ancient Egyptian roles * User (ancient Egyptian official), an ancient Egyptian nomarch (governor) of the Eighth Dynasty * Useramen, an ancient Egyptian vizier also called "User" Other uses * User (computing), a person (or software) using a ...
about
social engineering Social engineering may refer to: * Social engineering (political science), a means of influencing particular attitudes and social behaviors on a large scale * Social engineering (security), obtaining confidential information by manipulating and/or ...
.


Project vulnerability management

Project vulnerability is the project's susceptibility to being subject to negative events, the analysis of their impact, and the project's capability to cope with negative events. Based on Systems Thinking, project systemic vulnerability management takes a holistic vision, and proposes the following process:                              1.           Project vulnerability identification.                              2.           Vulnerability analysis.                              3.           Vulnerability response planning.                              4.           Vulnerability controlling – which includes implementation, monitoring, control, and lessons learned. Coping with negative events is done, in this model, through: * resistance – the static aspect, referring to the capacity to withstand instantaneous damage, and * resilience – the dynamic aspect, referring to the capacity to recover in time. '' Redundancy'' is a specific method to increase resistance and resilience in vulnerability management. ''
Antifragility Antifragility is a property of systems in which they increase in capability to thrive as a result of stressors, shocks, volatility, noise, mistakes, faults, attacks, or failures. The concept was developed by Nassim Nicholas Taleb in his book, '' ...
'' is a concept introduced by
Nassim Nicholas Taleb Nassim Nicholas Taleb (; alternatively ''Nessim ''or'' Nissim''; born 12 September 1960) is a Lebanese-American essayist, mathematical statistician, former option trader, risk analyst, and aphorist whose work concerns problems of randomness, p ...
to describe the capacity of systems to not only resist or recover from adverse events, but also to improve because of them. Antifragility is similar to the concept of positive complexity proposed by Stefan Morcov.


See also

* Application security *
Full disclosure Full disclosure or Full Disclosure may refer to: Computers * Full disclosure (computer security), in computer security the practice of publishing analysis of software vulnerabilities as early as possible * Full disclosure (mailing list), a mail ...
*
Long-term support Long-term support (LTS) is a product lifecycle management policy in which a stable release of computer software is maintained for a longer period of time than the standard edition. The term is typically reserved for open-source software, where it ...
* IT risk * Risk management *
Project management Project management is the process of leading the work of a team to achieve all project goals within the given constraints. This information is usually described in project documentation, created at the beginning of the development process. T ...
*
Project complexity Project complexity is the property of a project which makes it difficult to understand, foresee, and keep under control its overall behavior, even when given reasonably complete information about the project system. With a lens of systems thinking, ...


References

{{Reflist


External links


"Implementing a Vulnerability Management Process"
''SANS Institute.'' Computer security procedures Security compliance *