Top 10 Reasons to Correlate Vulnerabilities

AVC, DevSecOps, Vulnerability Correlation, Vulnerability Management, False Positive Management
Aneesh Bhargav | August 10, 2020

If you’re an appsec professional, you know what it’s like to be part of a tiny team responsible for way too many apps. Sometimes, the odds are worse. We had one major client who had a team of just 8 security engineers working simultaneously on 400+ different apps, and were completely swamped with some 1600 vulnerability scan results everyday. Numbers like this can be scarily common in a development environment that relies on rapid release schedules and ever-shrinking deadlines. It’s not fun, we know.

But security automation has come a long way since the old days, and we have real solutions to the problem of too many vulnerabilities. One of the most efficient and accessible ways to speed up your DevSecOps pipeline is Application Vulnerability Correlation (AVC). Here are the 10 most compelling reasons your security team should start correlating vulnerabilities today:

 

1. Standardised system for naming vulnerabilities

When you use multiple scan tools on your apps, some of which are open source and some commercial, they tend to use their own systems to name and categorise vulnerabilities. Vulnerability names aren’t standard across tools, so when every tool gives you a unique scan result, you’re going to quickly become inundated with data, much of which might just be from the same vulnerability.

When you correlate your vulnerabilities, the AVC platform will use one standardised system to name and categorise your vulnerabilities. You can save time organising tool results and stick to fixing vulnerabilities instead.

2. False positives can be cross-checked

No scan tool is perfect, and if a vulnerability you thought was a false positive is actually exploitable, you could be in for trouble. That’s why we use multiple scan tools. But when you do that, you’re going to have first find the same vulnerability in the other scan result and compare the two to see if they both say it’s a false positive.

An AVC platform lets you see multiple scan results under the same vulnerability and compare them across instances. It makes it infinitely easier to cross-check a false positive result between two scans and be extra-sure.

 

3. CWE becomes much more useful

CWE numbers are great because you can look up vulnerabilities on massive databases like CWE Mitre and OWASP. They have exhaustively detailed entries on each vulnerability that could help in remediation. The problem with it is that many scan tools don’t provide CWE numbers, but instead just tell you the names and categories of vulnerabilities.

Correlation fixes that by collecting information on the same vulnerability from multiple tools, and uses that to pinpoint the correct CWE number. Now you’ll have an easier time figuring out how to remediate the flaw.

4. Manage DAST, SAST, SCA, IAST, Container and Cloud scanning tools better

If you thought dealing with vulnerabilities of the same kind was difficult, making sense of source code flaws, vulnerabilities at runtime, and exploits in open source components of your application is a nightmare. You need to be able to look at your vulnerabilities at every stage of development in order to get a complete picture of your application’s security situation.

Vulnerability correlation can help bring your whole DevOps strategy into perspective, making it easier to manage you vulnerabilities and track the health of your apps at each point in the pipeline.

5. Connect CVE numbers to vulnerabilities

Some open source and commercial scan tools only give you a CVE number instead of the names of the vulnerability. This can lead to some confusion deciding how to categorise your vulnerabilities, especially since the name of the vulnerability is more widely understood and easily recognised by people.

AVC platforms give much more comprehensive data that includes a standard name for each vulnerability regardless of which scan tool discovered it.

6. Get one, unified report for all instances of a vulnerability

Scan tools are extremely thorough in combing through your apps and detecting every instance of every exploitable flaw. Unfortunately, this means that multiple instances of the same vulnerability get reported separately, which means you’re going to be seeing reports that are both long and numerous, even though you’re not actually dealing with that many vulnerabilities.

Correlation can help you consolidate data and reports from multiple scan tools that found the same vulnerability, giving you much less pointless information to parse through to fix the same number of vulnerabilities.

7. Descriptions of vulnerabilities and how to remediate them

After every round of scanning, you get new vulnerabilities to sort through and help the engineers fix them. If only there was a way for you to see the scan results AND get detailed descriptions of each vulnerability along with suggestions on how to remediate them. 

Orchestron Risk Language (ORL) is an advanced vulnerability database built into our AVC platform that does just that. It’s like an appsec encyclopaedia with detailed metadata on each vulnerability, samples of good code vs. bad code and much more.

8. Manage alias names and CVE numbers

Any given vulnerability has many different alias names and CVE numbers, which can all get very confusing to deal with, especially when you’re talking about several hundred scan results. Correlation can help fix this issue by filling in any gaps in the data by providing CWE numbers and standardised vulnerability names. Now you can easily manage and categorise disparate scan results under the same vulnerability.

9. Discover the actual severity of a vulnerability

Different scan tools see the same vulnerabilities differently, and this inevitably creates inconsistencies in how they assign severity levels to different flaws. This can lead to confusion about which vulnerabilities need to be remediated first, especially between the security engineers and product developers. 

AVC platforms use a vulnerability CVSS score to assign a severity level to the particular data set used for correlation. New scan results are compared with this data set and and severity levels are automatically assigned to the vulnerabilities. Now your developer friends won’t ever have to ask you which ones to fix first. 

Check it out: How the Orchestron Dashboard organises your metadata

10. Your security team stays motivated (and your apps are more secure!)

We’ve seen this happen at a lot of companies: a very small security team is constantly scrambling to scan applications, organise vulnerabilities and guide developers in remediating them. When they have to do all of this manually, however, it turns into a mindless assembly line process that puts serious strain on the security engineers. The workload can even cause lapses that leave important vulnerabilities open to be exploited.

Many organisations lose good security professionals this way. 

Vulnerability correlation isn’t just about making the appsec process more efficient. It’s also an important part of creating a healthy, positive work environment that security and product engineers can feel motivated and care more about the quality of their output. When something's good for the staff, it’s good for company, too.