Mar 06, 2015
Software applications are susceptible to a diverse array of different vulnerabilities. With each vulnerability posing a unique set of problems, it can be difficult for development teams to decide on the right course of action. In order to balance the benefits of fixing a vulnerability with the costs of doing so, it's essential for organisations to be able to prioritise software vulnerabilities.
Understanding the Spectrum of Software Vulnerabilities
Whilst some software vulnerabilities pose potentially catastrophic risks to an organisation, others are less serious. These vulnerabilities can make it into a finished application without much risk, and fixing these issues can often be a serious misallocation of resources.In order to determine which vulnerabilities necessitate immediate remediation, and which can be handled through basic security awareness, it's essential to develop a system for ranking the threats posed by vulnerabilities.
Measuring Exploitability and Severity
Prioritising individual vulnerabilities requires an analysis of two crucial factors: exploitability and severity.Exploitability is the likelihood of a particular vulnerability being discovered and acted upon by a malicious third party. Microsoft use a four-tier rating system for categorising the exploitability of a vulnerability, ranging from Exploitation Unlikely through to Exploitation Detected. At its lowest level, this means a vulnerability is unlikely to be detected by a third-party, and even less likely to be successfully acted upon. At its highest level, a vulnerability has already been exploited.Severity refers to a vulnerability's potential to cause damage. The CIA framework can be useful for categorising the severity of a vulnerability, with the most severe problems exposing sensitive data (Confidentiality), allowing third-parties to manipulate information (Integrity) and disrupting service (Availability).
Developing a Vulnerability Ranking System
These two factors can be used to create a qualitative assessment of the dangers posed by individual vulnerabilities. Those problems which are both easy to exploit (or have already been exploited) and likely to cause severe damage are High priority, requiring immediate remediation. Those which are unlikely to be exploited and risk only non-sensitive data information are Low priority, and may not require remediation.High Priority: High exploitability and high severity, immediate remediation required.Medium Priority: High exploitability and low severity, or low exploitability and high severity, remediation may be required.Low Priority: Low exploitability and low severity, remediation not required.Noteworthy Issues: Non-serious instances of less-than-best-practice or unsuccessful attempts at compromising a system. These issues are worthy of note but will not require remediation.
The Costs and Benefits of Fixing a Vulnerability
Whilst both High and Low priority vulnerabilities necessitate a clear course of action (or inaction), it can be harder to choose a response for Medium priority issues. These are typically issues which either have a small chance of serious damage, or a high chance of moderate damage; and in order to determine the correct response, it's necessary to factor in the costs and benefits of issuing a fix.In some instances, fixing a vulnerability may cause considerable disruption to the end-user, or require significant developer hours to create a fix and conduct compatibility testing. The high costs associated with this type of vulnerability might mean that the benefits of issuing the fix are outweighed by the costs. In other instances, a fix may be relatively cheap to enact, and may prevent potentially serious data breaches.The varied nature of software vulnerabilities require development teams to be measured and dynamic in their response. With vulnerabilities a relative fact of life, it's essential that individual problems are responded to on a case-by-case basis, and resources are allocated to those issues that present the most grave and immediate threat.In a perfect world, each and every vulnerability would be fixed - but with limited budgets and developer hours available, prioritising software vulnerabilities is an absolute necessity.