Vulnerability management is difficult. Many organizations aim to fix all the security vulnerabilities they can identify. They want to run a scan like Qualys and that everything come up green. In my opinion, it is a good and ambitious objective, but that strategy can be counter-productive.
In the first place, if the cybersecurity team is measured by Qualys not finding any issue, it won’t find any issue eventually, even if the security posture of the organization has not been improved in the process. We should not lose sight of our goal: we want to improve our security posture, not to have everything green in Qualys.
Maybe you think: “Ok, but if I have everything green in Qualys, we would have improved our security posture, wouldn’t we?”. Well, it depends. First, it depends on the actions taken to make that green happen. Maybe we changed something in the configuration that made our organization less secure, but Qualys now does not identify anything as a vulnerability. There is no replacement for analysis and thinking.
Second, and most important, there is an opportunity cost here. If we are trying to fix all the CVEs, we are not investing that time on designing, implementing, and convincing the company to implement other security controls that can reduce the risk much more. Our objective should not be doing any activity that improves security, but to do only those activies that reduce the risk faster, better, and with the less cost. Almost always will be better to not fix some CVEs and spend that time on improving other security controls.
CVEs usually have a CVSS attached. The CVSSs are calculated by people like me, based on what we know about the vulnerability. CVSSs are not a mathematical scientific 100% objective calculation, so there can be nuances. Additionally, when we calculate the CVSS and assign it, we take into account the vulnerability in a generic environment so, for sure, the risk for your company might be completely different. A 10 CVSS can have a low risk in your environment; a 4 CVSS can be critical in your organization. The later is a more difficult case, but it can happen.
Should organizations ignore CVSS? No. I think they are a good triage indicator. It’s fine that organizations filter by the CVEs with higher CVSS, but if during a pentest a vulnerability with a lower CVSS is demonstrated that can be exploited to access critical info, don’t ignore the vulnerability because the CVSS.
Being said that, I’m for trying to fix everything. I think it is one of those objectives that never can be fully accomplished (and we have to be aware of this), but that sets the correct tone for the team. The way of trying to fix everything is through automation. Organizations should have processes in place that fix as many vulnerabilities as possible, as transparent as possible, and guaranteeing that the systems continue working as expected. For that, organizations should leverage vulnerability identification tools in operative systems and applications.
For applications, organizations can use tools like DependencyCheck, or dependabot (GitHub) and renovatebot (Gitlab). These SCA tools can run on the pipeline when a merge request is sent, and can identify known vulnerabilities in the code before it is even commited. Some of these tools even create merge requests for you to update the vulnerable dependencies.
For operative systems we have mentioned Qualys, but you can also try open source tools like OpenSCAP.
Organizations should have a good cybersecurity team that understands the vulnerabilities and can evaluate the real risk of each vulnerability in the organization so they can prioritize fixing them appropiately. The organization has to have also a good management team who sets the right objectives and that understand what really impacts on the security of the organization and does not make the team focus on high workload efforts that don’t improve the security as much as other efforts. Question continuously if what you are doing in cybersecurity is really decreasing the probability or impact of an attack and if there is no other activity that you are doing that would be more efficient instead.
