Modern software applications depend on hundreds of components to function properly.  GitHub projects have an average of 700 open-source dependencies. In examining 1,700 codebases across 17 industries, Synopsys found that 96% of codebases have open-source components. In 84% of those codebases was at least one vulnerability.   

The dependencies in software projects can be direct or transitive and take different forms. These include:

• Database dependencies: These are programming libraries to access specific database management systems (e.g MySQL, MS SQL server)
• Web server libraries to access some functions on the underlying web server (e.g Apache, Nginx)
• Programming language dependencies. This includes frameworks, code libraries, and other tools that build applications in a programming language like Python, Java, C#, or C++
• Third-party dependencies acquired from external vendors to provide functionality, such as authentication or data visualization 
• API code used to access other services

Using code from external sources helps development teams build their application fast and cut development costs. However, it also opens the door for threat actors to exploit any vulnerability in utilized components. From there they can gain unauthorized access to the application, host operating system, and its underlying IT infrastructure.

Threat actors always seek entry points to gain unauthorized access, and flawed third-party components present the perfect opportunity. The Log4j incident is a notable example.      

Let’s look at the importance and benefits of vulnerability management. We’ll outline best practices for managing vulnerabilities and share some vulnerability assessment best practices. Then we will show how RapidFort's Software Attack Surface Management (SASM) can minimize your software attack surface and risk posture significantly. RapidFort not only scans your containers and prioritizes vulnerabilities, but also automatically hardens them.

Vulnerability management is the ongoing and proactive process of identifying, evaluating, and remediating vulnerabilities in systems, applications, and IT infrastructure. Vulnerability management uses automated tools and manual processes to discover security vulnerabilities and prioritize them by severity. Tools like vulnerability scanners will identify issues and some will suggest preventive measures to remediate vulnerabilities.  

Vulnerability management solutions are commonly connected with a vulnerability database such as NVD. The database provides detailed information about each discovered vulnerability along with its severity.

Why is vulnerability management so important?

A vulnerability management program is essential to any cloud security strategy. A continuous vulnerability management strategy helps security teams discover and fix vulnerabilities early in the development life cycle. The major benefit of vulnerability management tools is reducing the risks of security breaches, data loss, and other security incidents.

There are several benefits of implementing a vulnerability management framework:

• Defend against cyberattacks:  A successful cyberattack can have catastrophic consequences. It can cease online service, result in a data breach, and impact an organization’s reputation. Effective vulnerability management ensures teams can patch or eliminate most vulnerabilities before hackers exploit them
• Achieve compliance: Many regulatory compliance programs require organizations to ensure the security of customers’ personal information. Programs such as the Payment Card Industry (PCI) and the Health Insurance Portability and Accountability Act (HIPAA) require organizations to have a vulnerability management program in place. Failing to comply results in financial fines and other penalties
• Reduce costs: It is far more cost-effective to implement threat and vulnerability management best practices ahead of time. Detecting and mitigating vulnerabilities in IT environments, cloud applications, and infrastructure is much more expensive after the fact
• Sustain business continuity: Vulnerability management avoids business disturbances resulting from security incidents, such as outages and breaches 
• Enhance security posture: Individual and corporate clients are more likely to choose to do business with organizations that have a strong security posture. This assures clients that their sensitive information will remain secure

Vulnerability management best practices

Web-based attacks are the primary cause of data breaches. Here are the best practices for how to manage vulnerabilities across your organization. 

Incorporate security in the early application development process

Involve the security team early in the software development life cycle (SDLC). From the beginning, a secure SDLC must include security measures such as: 

• Source code review
• Penetration testing
• Architecture analysis
• Threat modeling
• Risk analysis

Continuously scan containers for vulnerabilities

Containers have become ubiquitous in software projects due to their portability, scalability, ease of use, and cost-effectiveness. However, as with everything in technology, there is a security price.

There are thousands of container images available to download for free. Developers use off-the-shelf container images to speed up the development process and easily incorporate certain functionality into their applications.

Software container images may use outdated code borrowed from other sources (mainly open source) or incorporate unnecessary software libraries. This practice has three major drawbacks. First, it increases the number of vulnerabilities in the container image. Second, it broadens the attack surface of the container host. Finally, it exposes the underlying host infrastructure to various security risks.

To mitigate risks associated with using container images, you should:

•  Only download container images from trusted sources such as Docker Hub (the world's largest container image library) or Iron Bank
• Perform regular vulnerability scanning of all application containers at every stage of the CI/CD pipeline
• Configure your container securely using strong passwords and closing unnecessary services and ports
• Avoid storing sensitive information such as access credentials within container configuration files. Instead, use a secret manager (e.g. Hashicorp or AWS Secrets Manager) to store credentials safely.

Security testing

Security testing helps organizations protect their applications and other IT assets from malicious attacks. There are two types of security testing that security teams should incorporate into their CI/CD pipeline.

Static Application Security Testing (SAST): In this type, we test application source code for vulnerabilities. Static testing does not require the software to run to be tested. SAST allows the discovery of popular vulnerabilities mentioned in the OWASP Top Ten Vulnerabilities List.

Dynamic Application Security Testing (DAST): In this type, we execute the program first to stimulate it in action. DAST has no access to application source code and identifies runtime security issues and behavior risks. DAST helps prevent common cyber attacks such as SQL injection, cross-site scripting (XSS), external XML entities (XXE), and cross-site request forgery (CSRF)

Scan underlying IT infrastructure for vulnerabilities

The IT infrastructure includes all the hardware and software components your business relies on to operate. Securing IT infrastructure is vital for container images because it helps to protect the underlying systems that run the containers. If the host system suffers a cyber attack and becomes insecure, this will impact the container image, too.

There are various methods to protect IT infrastructure, such as:

• Install firewalls and IDS/IPS systems to restrict access to the internal network
• Keep operating systems up to date
• Scan installed operating systems and applications for vulnerabilities
• Enforce the least privilege and separation of duties concepts within your organization
• Establish security policies and procedures that must be followed by all users and third-party contractors accessing your IT systems

What to look for in a vulnerability management tool 

RapidFort provides a unique solution for scanning and hardening your containers and their underlying infrastructure. The main benefits that can be achieved by using RapidFort SASM solution include:

Understand exactly what’s running in your container. RapidFort automatically generates a Software Bill of Materials (SBOM), which provides complete visibility into all components (software packages, API, code libraries, and other dependencies) in an application. SBOMs are now crucial, as they are required when working with the US federal government.  

‍

Easily remove unnecessary components: Many containers use unnecessary software packages or do not need them as a part of their functionality. RapidFort provides a Real Bill of Materials (RBOM), which exactly which container components are in use. That makes it easy to eliminate everything that’s not in use. 

Vulnerability prioritization: RapidFort gives you CVSS scores for the scanned containers. The CVSS is a score between 0.0 and 10.0 (10.0 is the most critical). In addition RapidFort provides the Rapid Risk Score (RRS) which is the probability for an exploit (Proof of Concept) to be available for the CVE in the next 90 days. Security teams can use RRS along with CVSS to prioritize the vulnerabilities.

Enhanced security: RapidFort’s off-the-shelf hardening profiles help you automatically improve security and run your containers in a more secure environment.

Seamless pipeline integration: RapidFort’s SASM platform easily integrates into your CI/CD pipeline so you can automatically create secure containers in minutes.

Reduced patch management/backlog: By automatically eliminating unused components, RapidFort eliminates hundreds or thousands of open-source vulnerabilities in minutes. This drastically shrinks the patch management queue and improves open-source container security.

To check the full features of the product and see how RapidFort works in action, go to https://www.rapidfort.com/sasm-full-edition and test it for free. 

The longer a vulnerability lasts in your development environment, the costlier it is to fix. RapidFort's Software Attack Surface Management (SASM) platform removes the burden of vulnerability discovery and remediation from DevOps teams so they can focus on delivering features and functionality. 

‍