Like in most other fields of study or practice, data is of utmost value to vulnerability management and information security in general. Security processes have come a long way to supplement rapid product engineering. However, pertinent data, or rather the lack of it is still a major problem that manifests itself in different ways and holds product teams back from delivering secure releases on time. In this blog, I wish to discuss a use-case where lack of critical data renders vulnerability management inefficient. Subsequently I shall also talk about how our team at we45 have addressed these issues through Orchestron’s most recent enhancement - its integration with ORL(Orchestron Risk Language), a massive vulnerability data repository.
Michael is a security practitioner at a mid sized software company called Munder Difflin. Munder Difflin have an engineering team of approximately 100 professionals who maintain a mature DevOps pipeline with frequent product releases. Michael is tasked with keeping these releases secure.
Michael leverages security automation to keep up with rapid product engineering. He has integrated SAST and SCA platforms with the development environment to find security issues arising from code early in the SDLC. He further runs automated DAST scans to find run-time security issues and supplements it with manual penetration testing to unearth vulnerabilities that automated tools can't find(business logic flaws). This thorough testing approach gives rise to the problem of plenty. One testing cycle across Munder Difflin's application portfolio of 75 apps uncovers over 1200 vulnerabilities(450-SAST, 450-SCA, 300DAST & Manual PenTesting).
Michael now attempts to tackle this issue with an Application Vulnerability Correlation(AVC) engine. An AVC engine uses vulnerability data like CWE Id provided by security tools to correlate vulnerabilities across tools and reduce false positives. With the help of an AVC engine Michael is able to reduce the vulnerability result set to 825. With the added benefit of visibility on a single dashboard and remediation assistance he's able to manage vulnerabilities better.
We believe this is only half the battle won. The effectiveness of correlation is limited by the quantum of vulnerability data provided by security tools. Correlation isn't possible when security tool results don't provide tangible security metrics like CWE id's. This is why we integrated our vulnerability correlation engine, Orchestron with a massive vulnerability data repository built in-house called Orchestron Risk Language. ORL supplements Orchestron with vital vulnerability data missing from tool results to facilitate enhanced correlation. Improving the effectiveness of correlation by upto 30%. Which means Michael's action list of vulnerabilities would get reduced to under 600.
Get in touch with us if you’d like to know more about how Orchestron’s enhanced correlation can help you better manage vulnerabilities.