Vulnerabilities Are Not A Security Problem
The idea that treating vulnerabilities is the responsibility of security teams is no longer the norm for many organisations, who are instead turning to more collaborative ways of getting the job done.
Common sense might tell you that the best people to deal with a security issue are security people, but that often couldn't be further from the truth.
Picture a scenario where a vulnerability has been identified in a newly-developed feature; for the sake of this analogy we'll say the vulnerability is down to broken access controls and would let a would-be attacker enumerate some account information of other user's of the application.
In this instance an Information Security Manager (ISM) might respond, quite understandably, by blocking the release until the bug is fixed. After all, broken access controls have made it to #1 on the OWASP Top 10 and getting this issue fixed would seem pretty fundamental to most ISM's.
So the ISM reaches out to the developers and tells them to fix the issue. It takes them a week to get solved, meanwhile they've pushed back a product release and are now behind schedule on the product roadmap.
Picture instead what would happen if a working group was setup between key stakeholders:
- The ISM could chair the meeting and share information about the vulnerability,
- A developer could then provide insight on how long it might take to fix,
- A data protection officer could confirm that the information disclosed is considered low-impact,
- A SOC analyst could implement a WAF rule to temporarily limit exposure, and a SEIM rule to monitor for attacks,
- A CTO could add addressing the issue into a wider programme of fixing bugs over the next few months.
Simply engaging these five people could sufficiently manage the risk and enable the business to progress.
Get a Free Trial From Cytix
Haven’t tried Cytix yet? Try our free trial to see how it works.Get a Free Trial
This post is supposed to highlight the value in engaging multiple departments in the vulnerability management lifecycle, and is just one example of how effective collaboration can yield valuable results.
At Cytix, we believe in providing the tools to achieve this need within every organisation. To find out more about how we can help you, register for your free trial today.
Start Detecting Vulnerabilities Others Miss Today
- Detect Vulnerabilities Faster
- Patch Vulnerabilities Faster
- Be more compliant