A Risk-Based Approach to Vulnerability Management
Published 05/10/2024
Written by Devin Maguire, ArmorCode.
Security and risk are related but not synonymous. Security prevents, detects, and responds to attacks and is a key variable in the broader category of risk management. Risk management weighs the probability and impact of adverse events across the organization to inform and influence decisions. The relationship between security and risk is reciprocal. Risk tolerance and priorities influence security investments and activity, and security performance in turn impacts risk posture. In this post, we will explore the broader scope of risk, activities to align security with a risk-based approach, and how DevSecOps best practices contribute to systemic improvements beyond security to achieve better business outcomes overall.
Risk and security
Within security, especially application security, it is easy to fall into a myopic view of risk where any and all vulnerabilities pose a potential threat and should be addressed. But security is only one of many types of risk which span everything from operational risk (are employees and equipment able to develop and deliver products and services) to financial risk (are we able to generate and borrow to sustain business and investments) to strategic risks (are we able to innovate and compete in a dynamic competitive landscape) and more.
For example, let’s look at how a manufacturing business might approach risk. Efficiency, quality, and throughput are critical to the business. They might look at the risk of their upstream supply chain and diversify to insulate themselves from disruption. They invest in tooling and quality control to improve efficiency and prevent recall risk. They might assess the financial risk of contracts and customers to prevent overextending those investments. And because every company is a software company, they would invest in digital transformation to improve efficiency and competitiveness – and security to keep those business-critical applications operational.
Similar risks apply to a software company. They need to manage risk across a software supply chain that facilitates modern development but can also introduce risk from upstream and third-party vulnerabilities. They invest in tools and processes to increase developer productivity and keep pace with competitive innovation. And security investments prevent outages, breaches, and revenue loss.
As we look across these risks, no one department or function has complete ownership and control over all the variables that affect risk. This is why friction often exists between functions like development and security which are responsible for and measured against different business objectives and risk categories. On one hand, development is responsible for releasing competitive products efficiently to avoid strategic risks, but rushing to market can introduce quality and security risks. On the other hand, security is responsible for minimizing vulnerabilities and exposure to exploits, but spending too much time securing software can delay time to market and lead to opportunity costs.
These conflicts arise when organizations are not aligned around a well-defined (and ideally well-documented and measured) risk management approach. Establishing this alignment and governance is the objective of risk-based vulnerability management.
Taking a Risk-Based Approach to Vulnerability Management
Likely, you’ve done risk assessments to triage vulnerabilities or as part of your threat modeling activities (if not, we recommend you get started with these frameworks!). But have you gone beyond risk assessment to establish a risk-based practice? Here are some key activities to get you started.
Connect the right people
When it comes to risk management, you can’t just go it alone. As mentioned above, the scope of risk extends beyond any one department, and risk often sneaks into the gaps between organizational silos. There are also necessary checks and balances to ensure different needs and activities are met. A dedicated enterprise risk management function may exist, or you may have to form internal alliances and leadership buy-in to establish risk-based policies and best practices.
Baseline and benchmark your current performance
How is your organization performing today across risk categories? Where are you relative to others? Where do you want to be? These are challenging but essential questions to answer. Your organization may be leading in development velocity to minimize strategic risk but lagging in code quality and mean time to remediate elevating security risk. Without illuminating these discrepancies, organizations can continue to invest large sums with diminishing returns in areas of strength while ignoring higher-impact opportunities elsewhere.
Define and document your risk appetite and tolerance
How long is it acceptable for critical vulnerabilities to persist in production for your most valuable applications? Is it documented? Does the head of engineering know? Do the CFO and CEO? Does the board? Risk appetite is a factor of the whole of business that aims to balance finite resources against infinite needs, wants, and sources of risk. You need to align on risk tolerance and understand the budget requirements and tradeoffs to inform strategic decisions. For example, suppose the risk tolerance dictates critical vulnerabilities in production must be fixed within 5 days, not only does that set a 5-day SLA for security. In that case, it also means security must be equipped with the tools, budget, and authority to meet that SLA.
Prioritize vulnerabilities based on risk
With risk tolerance defined and documented, the next step is aligning your vulnerability management program with the risk-based approach. This typically requires mapping vulnerabilities to assets to assess the impact and drive risk-based triaging and remediation workflows. This is where dedicated Risk-Based Vulnerability Management tooling can help you gain visibility across massive volumes of vulnerabilities and map findings to assets to assess risk and prioritize issues.
Measure risk-based vulnerability management performance
How well are teams able to adhere to remediation SLAs? How can you best spend your training and enablement budget? In a post-incident assessment, was the exploited vulnerability in breach of the SLA? If not, does that shift the organization’s risk tolerance and appetite? Risk management establishes accountability, reveals gaps, and facilitates intelligent conversations about navigating the realities of an uncertain and risky world. It shifts assessment away from activity and provides governance over outcome-driven metrics that more directly affect above-the-line items like revenue enablement and retention, cost reduction, and productivity.
Mature your risk-based vulnerability management program
Risk management is not a static one-time activity. It is a dynamic and evolving process with risk implications and ripple effects – both positive and negative – from different aspects of the business. A clear example of this is generative AI and its implication on development speed and strategic competitiveness, the introduction of new attack vectors, and enablement of AI security solutions to aid risk-based remediation and counteract both novel and legacy threats. Organizations should continuously look for opportunities to improve the people, process, and technology aspects of effective risk management. These investments can change the calculus of risk management – say by creating efficiencies in the remediation of security risks which frees resources for innovation to address strategic risk.
Achieving better business outcomes
Generic vulnerability management tools typically fail to account for the unique business context that ties vulnerabilities to impact to accurately assess risk and drive remediation priorities. Unlike generic tools, a risk-based vulnerability management solution elevates focus beyond remediation activity and toward risk reduction. It also unlocks the ability to distill findings based on risk to significantly reduce developer workloads and provide rules and governance over risk-based SLAs. The ability to establish and manage risk-based prioritization is essential to AppSec maturity and will not only boost your security posture but also have downstream impacts on developer productivity, efficiency, cost reduction, and improved business performance.
Related Articles:
The Evolution of DevSecOps with AI
Published: 11/22/2024
It’s Time to Split the CISO Role if We Are to Save It
Published: 11/22/2024
A Vulnerability Management Crisis: The Issues with CVE
Published: 11/21/2024
Establishing an Always-Ready State with Continuous Controls Monitoring
Published: 11/21/2024