Making Vulnerability Management Count
Today I took a moment and reflected on the nearly two decades I’ve spent designing and maintaining numerous vulnerability management programs. I’ve used a variety of tools along the way: AppScan, Nessus, Qualys, Burp, Metasploit… you name it. I’ve built custom reporting dashboards, and compiled reports for developers to executives and just everyone in between. But for all the pretty reports and eye-opening vulnerabilities I’ve shown, merely showing a vulnerability feels empty, unfulfilling, and somehow incomplete.
Sure, it feels good to uncover a logic error in an ecommerce app (free products, anyone?) and I still get a rush of adrenaline when ruthlessly exploiting a web app that never didn’t anything wrong by me. But the ultimate feeling of accomplishment is not discovering the vulnerability; it’s fixing it. “Moving the needle” I call it.
Moving the needle is hard, and here’s why: you’re changing the way people operate. You’re forcing someone to upgrade that application that hasn’t been touched in years. You’re highlighting how the server team has no patching policy. You’re exposing the fact some corporate policy has been selectively applied; or not applied at all. Essentially you’re showing that talk is cheap, and it’s time to walk the walk.
Perhaps counter-intuitively, this role of “needle mover” isn’t one of draconian rule or iron-fisted dictatorship. Surprisingly, it’s one of leadership in its purest form, and here’s the secret sauce: YOU are walking the walk. YOU must show the developers how to sanitize input to prevent SQL injection. YOU must prove how an AWS instance lifecycle can realistically include reinstantiation of patched images. YOU must build a proof of concept to exploit that e-commerce app *and* draft the logic for safeguards to thwart exploitation. To put it simply: YOU take ownership of the issue and coach others on how to fix the problems of today while fully baking in the processes to help teams be self-sufficient in the future. It’s a strange intersection between coaching, teaching, consulting, and achievement of real results. And I love it.