Vulnerability management is an essential tool for keeping your business-critical applications secure and functioning properly to support the business. But, vulnerability management has a lot of moving parts and some of these terms often blend together and seem interchangeable. Understanding these fundamentals is crucial for understanding how the latest vulnerability management tools and technologies work and keep your organization safe.
What is a Vulnerability?
It is nearly impossible to create error-free software or hardware, and for complex systems, this is even more true. A vulnerability is a bug, a weakness or flaw that can be leveraged by a threat actor to gain unauthorized access to a network. There are many types of security vulnerabilities, but some common types of vulnerabilities affecting business-critical applications are:
- Missing patches: Vendors regularly release patches to fix identified security problems in their software. If you don’t apply the patch, you remain vulnerable to that issue and a threat actor could target that weakness.
- Misconfigurations: These are issues within the settings of your system. Some of the common issues we see in this area include lack of encryption and admin accounts with default passwords.
- Authorization issues: Authorizations dictate what actions a user can perform and what data they can access and should generally be assigned following the least privilege principle. Common weaknesses here include overly privileged users and users unintentionally assigned “all access” profiles.
Not All Vulnerabilities Are The Same: Understanding Criticality and CVSS
An essential part of vulnerability management is the ability to prioritize. Simply discovering vulnerabilities and ending up with a laundry list of problems isn’t enough. You need context and insight into each issue’s severity and potential business impact so you can make an educated decision on how to respond. Should it be fixed immediately? Can it be deferred to later? Or maybe it’s not severe and you are comfortable accepting the risk it poses.
The best-known standard to rate the criticality of vulnerabilities is the Common Vulnerability Scoring System (CVSS) that is maintained by The Forum of Incident Response and Security Teams (FIRST). CVSS provides a score ranging from 0.0 (no issue at all) to 10.0 (most critical). To learn more about CVSS Score and how The Onapsis Platform leverages this score to help customers assess and prioritize vulnerabilities within their business-critical applications, check out this blog.
What Is Vulnerability Management?
Now that we know what a vulnerability is, what can we do about them? Not all vulnerabilities are equal and new ones are constantly being discovered, so having a tool to stay on top of them all is essential. Vulnerability management is the continuous process of identifying, classifying, prioritizing, remediating and mitigating software vulnerabilities.
No matter the industry or size of your organization, you’re not immune. Every business needs a vulnerability management tool to manage vulnerabilities. An effective vulnerability management program regularly checks for vulnerabilities, provides context like criticality and business impact, and supports remediation by aligning security, IT and DevOps teams.
The Role of Patching in Vulnerability Management
No software is truly bug-free. Patches are updates, fixes or improvements released by software vendors. While not all vulnerabilities are fixed by patching (e.g., the configuration and user privilege issues mentioned above), staying on top of patching is an essential part of vulnerability management. If you don’t apply a patch, your system/application/software remains at risk of that associated vulnerability being exploited.
While the number of patches included in each release and the complexity of installation can make patch management difficult, it’s important to patch promptly because threat actors are also keeping an eye on patch releases. Recent research from Onapsis and SAP found critical SAP vulnerabilities being weaponized less than 72 hours after the patch was released.
This is an area where an SAP-focused vulnerability management solution can help. Providing easy visibility into the criticality of each patch and identifying which systems need it installed can significantly help prioritization efforts and simplify patch management.
Vulnerability Management For Business-Critical Applications
Traditional vulnerability management tools typically don't have adequate coverage for an organization’s most critical assets—the business-critical financial, HR, sales, supply chain, customer and ERP applications like those from SAP, Oracle, and Salesforce. Having a comprehensive vulnerability management solution for these applications allows security and IT teams to detect vulnerabilities sooner and reduce time spent on false positive investigations and reporting, all while ensuring your business is not negatively impacted.
Onapsis Assess provides the key elements for effective vulnerability management at the application layer—evaluating assets for system vulnerabilities and providing detailed explanations for each one, including business impact and a technical solution. Onapsis automatically updates Assess with the latest threat intelligence and other security guidance from the Onapsis Research Labs. This provides our customers with advanced notifications on critical issues, comprehensive coverage, improved configurations and pre-patch protection ahead of scheduled vendor updates.
- The Onapsis Research Labs continuously analyzes and investigates developments in mission-critical applications to discover and identify new vulnerabilities. Subscribe to our newsletter, The Defender's Digest for our monthly SAP Patch Day updates.
- Between January and June 2020, there were a total of 123 vulnerabilities disclosed by SAP ranging from CVSS scores of 2.7 through 10.0. Read Onapsis Research Labs’ analysis.