Cyber Security Shots

Vulnerability Management in Cloud

Published by

armiar

on

What is Vulnerability ???

NIST definition of vulnerability is ” Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source. ” I would say the surface area that can be exploited. It can be due to a bug, a poor software design maybe even caused by misconfiguration. NVD makes your job a little easy 🙂 by posting Common Vulnerabilities and Exposures (CVE’s) along with the CVSS scoring system helping you with the criticality of the vulnerabilities. What next ??? Yes, run around to fix the vulnerability

Old age vulnerability Management

We used to discover the security updates and configuration changes to fix the vulnerability. Most important is to prioritize based on the risk of the security incidents. Test the update in the test environment. Finally, schedule and deploy in the production. How painful it was !!

In Cloud

We treat resources as cattle and not pets. One can be replaced by another. Important, architecture has to suit it !! . Actually how does it work? Cloud helps you to have infrastructure be part of your application code. Yes !! Hit both the mangos with the same stone 🙂 we use Continuous integration and continuous delivery. we are in the age of a single or double-digit number of deployments in a day. The fun part just needs to fix the issue. Right from building the code to deployment happens automatically.

Tools

There are various vulnerability assessment tools in the market. Tools at the different lifecycle of the software management.

  • Static Application scanner
  • Dynamic Application scanner
  • Interactive Application scanner
  • Software Composition Analysis
  • Network Vulnerability scanner
  • Agentless and configuration management
  • Agent and configuration management
  • Runtime Application self-protection scanner
  • Penetration Test

Phew! That’s a lot. The tip is to identify a product that can be used in most parts of the lifecycle.

Metrics

How to measure whether your tools are actually doing the job for you.

  • Tool coverage , Does your tools cover the code languages in your business
  • Mean time to remediate, How long does the tool take time to solve the vulnerability
  • Percentage of false positives
  • Percentage of false negatives
  • Vulnerability Reoccurrence rate

Leave a comment

Hello,

I’m Ara

Welcome to Cloud Security Blog, my corner of the internet dedicated to Cloud and AI Security .

Let’s connect

Join the fun!

Stay updated with our latest tutorials and ideas by joining our newsletter.

Recent posts