VEGA TERRY WELLIVER GREG SYME JUANA WELLS NAVAL POSTGRADUATE SCHOOL

VULNERABILITY MANAGEMENT

FACTS THERE ARE AND WILL CONTINUE TO BE BUGS AND HOLES IN SOFTWARE THAT CAN BE EXPLOITED

FACTS VENDORS WILL (OR AT LEAST SHOULD) DO THEIR BEST TO FIX THEM AS FAST AS THEY CAN

FACTS BUT THE FIXES WON’T HELP IF YOU DON’T KNOW YOU NEED THEM AND THEN DON’T DEPLOY THEM

FACTS APPLYING FIXES IS GOING TO BE DISRUPTIVE TO NORMAL OPERATIONS, SO YOU NEED AN ACTIVE PLAN AND PROVEN PROCESS FOR ENSURING THAT THE WORK GETS DONE IN A TIMELY FASHION

NAVY MANDATES A FORMAL VULNERABILITY SCANNING PROCESS IN PLACE AND AN ACTIVE PLAN TO ADDRESS VULNERABILITIES THAT ARE DISCOVERED

TIME AND MONEY BUDGETS ARE TIGHT AND TIME IS FINITE

SOLUTION FIND THE BUGS YOU NEED TO FIX TAKE ACTION ON THE FINDINGS (PDF, CSV) THE SYSTEM ADMINISTRATORS CREATE YET ANOTHER EXCEL FILE TO TRACK THEM VULNERABILITY SCANNER EXPORT THE REPORTS DISTRIBUTE THE REPORTS TRACK THE FIXES VALIDATE THE FIXES SCAN AGAIN AND START OVER

INTERNET NETWORK PERIMETERDMZ INTERNAL NETWORK

SOLUTION FIND THE BUGS YOU NEED TO FIX TAKE ACTION ON THE FINDINGS (PDF, CSV) THE SYSTEM ADMINISTRATORS CREATE YET ANOTHER EXCEL FILE TO TRACK THEM VULNERABILITY SCANNER EXPORT THE REPORTS DISTRIBUTE THE REPORTS TRACK THE FIXES VALIDATE THE FIXES SCAN AGAIN AND START OVER

PROBLEM FIND THE BUGS YOU NEED TO FIX TAKE ACTION ON THE FINDINGS (PDF, CSV) THE SYSTEM ADMINISTRATORS CREATE YET ANOTHER EXCEL FILE TO TRACK THEM VULNERABILITY SCANNER EXPORT THE REPORTS DISTRIBUTE THE REPORTS TRACK THE FIXES VALIDATE THE FIXES SCAN AGAIN AND START OVER

PROBLEM

THINK DIFFERENT

SCANNERDATABASEWEBSITE

SCANNERDATABASEISSUE TRACKING

RETINAPOSTGRESJIRA RUBY SCRIPTS JIRA API DATA TYPES NORMALIZATION USER INTERFACE WORKFLOW ACCOUNTABILITY DOCUMENTATION TRACKING FEEDBACK

FUTURE NESSUS IS REPLACING RETINA IDENTIFY FALSE POSITIVE AND WON’T FIX MORE, MORE, MORE BECAUSE IT’S DAMN GOOD NEW VULNERABILITY SCANNER GLOBAL RISK ACCEPTANCE AUTOMATION DELICIOUS CAKE

FUTURE NESSUS IS REPLACING RETINA IDENTIFY FALSE POSITIVE AND WON’T FIX MORE, MORE, MORE MMMMMM, MMMMMM, GOOD NEW VULNERABILITY SCANNER GLOBAL RISK ACCEPTANCE AUTOMATION DELICIOUS CAKE

BE THE CHANGE YOU SEEK

Do we have a formal vulnerability scanning process in place and an active plan to address vulnerabilities that are discovered? There are and will continue to be bugs and holes in software we that can be exploited. Your vendors will (or at least should) be doing their best to fix them as fast as they can, but the fixes won’t help if you don’t know you need them and then don’t deploy them. Remediation is going to be disruptive to normal operations, so you need an active plan and proven process for ensuring that the work gets done in a timely fashion.