Maksim Kabakou - Fotolia
Security Think Tank: Four key steps to managing software vulnerabilities
What is the most practical and cost-effective way for organisations to identify and remediate high-risk software vulnerabilities?
The key to resolving critical software vulnerabilities is to take a comprehensive view of cyber security and embed good practices in every aspect of an organisation, from workforce education and training to software development lifecycle.
Software vulnerabilities can only be found and resolved when cyber security expertise is no longer sealed in silos, but instead spread among all software users and developers.
It is first vital to gather knowledge and insights from as many sources as possible, whether that involves seeking external threat intelligence from other related sectors, or crowdsourcing penetration testers.
Organisations must then diffuse knowledge across the organisation through high-quality training and education, and the use of machine learning algorithms that can capture insights from one department and automatically apply them to another.
There are some key steps in helping to identify and remediate software vulnerabilities.
1. Train the workforce
The first step to preventing high-risk software vulnerabilities is to embed cyber security in the software development process so as to improve the quality of code being produced.
Cyber security education should be mandatory for those at every stage of the software lifecycle, from software engineers and web designers to the users responsible for maintaining it.
2. Deploy DevSecOps
Security best practices need to be baked into software development by integrating security, software development and operations so there is a continuous loop of best practice throughout the software lifecycle.
Bruce Beam, (ISC)²
This also ensures software vulnerabilities can be identified and patched at speed by a wide array of professionals, because it encourages the cross-fertilisation of cyber security knowledge among many workers and departments.
3. Consider using AI for testing
Virtual penetration testers should be used to speed up the process of combing through vast amounts of code for vulnerabilities. Machine learning algorithms can be quickly taught to identify and remediate vulnerabilities, and even how to differentiate between high-risk and low-risk vulnerabilities.
This produces a virtuous circle of cyber security best practice across the organisation, because vulnerabilities found and fixed in one department can teach machines to autonomously address similar vulnerabilities and enforce standards across the rest of the organisation.
4. Crowdsource outside expertise
Organisations should bring in external perspectives to help find and fix hidden vulnerabilities and analyse their risk profile. They can offer incentives to crowdsource penetration testers from outside the organisation.
It is also important to draw on external threat intelligence from other companies and relevant sectors to keep abreast of new threats and vulnerabilities, and find out how they are being exploited in the wild. This helps an organisation assess the likelihood of a vulnerability will be exploited and what level of risk it poses.
Read more from the Computer Weekly Security Think Tank about managing software vulnerabilities
- Follow good practice to reduce risk of software vulnerabilities.
- Eight controls to manage software vulnerabilities.
- How to achieve software hygiene.
- How to manage software vulnerabilities.
- No shortcuts to addressing software vulnerabilities.
- Balancing cost and risk in software vulnerability management.
- Four steps to managing software vulnerabilities.