Building a Scalable Vulnerability Management Program

The number of software vulnerabilities is quickly spiraling out of control. Each year, the number of newly discovered software vulnerabilities is in the tens of thousands. As a result, organizations are falling into deep security debt, where they are simply incapable of patching every new vulnerability discovered in the software deployed in their environment.

Dealing with the growing number of software vulnerabilities requires a new approach to vulnerability management. Instead of focusing on patching each individual vulnerability, organizations should work on protecting each potentially vulnerable application. Runtime application self-protection (RASP) by Imperva provides a solution to the vulnerability management problem. By deploying a security solution capable of providing individualized protection to an application and “virtually patching” it against attack, an organization can secure its infrastructure without resorting to a time-consuming and costly patch management program.

Web Application Vulnerabilities Are Growing Rapidly

The average application has a number of vulnerabilities, and the total number of vulnerabilities in the wild is growing. In 2019, according to an annual report by Risk Based Security, over 22,000 new vulnerabilities were discovered and reported. Of these vulnerabilities, a third were rated “critical”, meaning that they had a score of at least 7 on the 10 point Common Vulnerability Scoring System (CVSS) scale.

While these new vulnerabilities are concerning, they only represent the tip of the iceberg of vulnerabilities that organizations must contend with. The 22,000 vulnerabilities disclosed in 2019 are added to over 77,000 new vulnerabilities reported within the last five years. Any and all of these nearly 100,000 vulnerabilities could realistically be expected to be present in software deployed on an organization’s systems.

Additionally, this covers only vulnerabilities that have been discovered and publicly disclosed. As a result, it does not include those vulnerabilities that are currently unknown, identified but not disclosed by the software creator, or included in collections of zero-day vulnerabilities hoarded by cybercriminals and other hacking groups.

Organizations Cannot Keep Up With Patching

The only way for an organization to be completely secure is to patch every single vulnerability in their network environment. However, this is infeasible for several different reasons.

The first of these is the fact that organizations can only patch vulnerabilities of which they are aware of. The numerous vulnerabilities that are undiscovered, unreported, or not included in official lists, such as the National Vulnerability Database (NVD) which has a much lower 2019 total vulnerability count than Risk Based Security, cannot be patched by organizations that are unaware of them. For those vulnerabilities that are publicly reported, organizations can face several different challenges in remediating them. Some vulnerabilities have no patch available, making them difficult or impossible for an organization to remediate them.

For vulnerabilities with a patch that is publicly available, organizations are overwhelmed with the number of patches that they need to identify, test, apply, and verify. While an organization may be capable of tracking the software that it has deployed in-house, tracking all of the code running in house is a much more difficult challenge. The average web application has over 1,000 different dependencies, each of which have an average of 80 dependencies of their own. Vulnerabilities in any of these dependencies could impact the organization’s security, making patch management a much more difficult problem than it appears on the surface.

Runtime Application Self-Protection Can Help

Organizations are faced with vulnerability overload. With 22,000 new vulnerabilities per year, an organization’s security team should look through an average of 60 new vulnerabilities per day to determine if they affect any software or systems in use within the organization. This list of affected software is not limited to the “top-level” applications that an organization uses but also every dependency for every one of these applications, which creates a much larger potential attack surface.

For most organizations, who have little or no visibility into the software that they are using beyond this top-level surface, achieving and maintaining a realistic view of the vulnerabilities that they need to patch is difficult or impossible using manual processes. This does not include the actual effort of patching the vulnerabilities, including determining if a patch is available, testing to see if it can be applied, applying it, and testing if it is applied correctly. If any of these stages does not complete successfully, an organization may incur additional overhead fixing the problem of identifying a means for reducing the risk created by the vulnerability.

As the number of vulnerabilities to be patched increases, organizations require a new, more scalable approach to vulnerability management. Runtime application self-protection provides a solution.

Unlike a web application firewall (WAF), which is applied at the network boundary, RASP provides personalized protection to a specific application. This includes monitoring of its inputs, outputs, and behavior to detect any suspicious or anomalous behavior that could indicate a potential attack. If a potential attack is detected, the RASP solution can either block it or report it to the organization’s security team.

RASP provides an alternative to patch-based vulnerability management since it is capable of “virtually patching” an application against attack. With in-depth knowledge of both common exploits and the application that it protects, RASP acts as a perfect complement to a WAF, identifying more subtle and targeted attacks that the WAF, with its network-level view, may have missed.

WE SAID THIS: Tell us your thoughts in the comment section below.